Can someone help me stop this!

murder · 03-20-2006, 07:36 AM

i have people trying to use password generaters to login to my machine i have a 200 megs logfiles of nothing but failed attempts to login here is a few of them

Code:

Mar 20 00:15:30 LPSServer3 sshd[10843]: Invalid user httpd from 86.55.5.250
Mar 20 00:15:32 LPSServer3 sshd[10843]: Failed password for invalid user httpd from 86.55.5.250 port 57508 ssh2
Mar 20 00:15:35 LPSServer3 sshd[10855]: Invalid user httpd from 86.55.5.250
Mar 20 00:15:37 LPSServer3 sshd[10855]: Failed password for invalid user http57 LPSServer3 sshd[10905]: Failed password for invalid user shop from 86.55.5.250 port 35966 ssh2
Mar 20 00:16:01 LPSServer3 sshd[10925]: Invalid user sales from 86.55.5.250
Mar 20 00:16:03 LPSServer3 sshd[10925]: Failed password for invalid user sales from 86.55.5.250 port 38060 ssh2
Mar 20 00:16:08 LPSServer3 sshd[10941]: Invalid user sales from 86.55.5.250
Mar 20 00:16:10 LPSServer3 sshd[10941]: Failed password for invalid user sales from 86.55.5.250 port 40607 ssh2
Mar 20 00:16:13 LPSServer3 sshd[10956]: Invalid user sales from 86.55.5.250
Mar 20 00:16:15 LPSServer3 sshd[10956]: Failed password for invalid user sales from 86.55.5.250 port 42955 ssh2
Mar 20 00:16:41 LPSServer3 sshd[11033]: Invalid user web from 86.55.5.250
Mar 20 00:16:44 LPSServer3 sshd[11033]: Failed password for invalid user web from 86.55.5.250 port 54214 ssh2
Mar 20 00:16:47 LPSServer3 sshd[11047]: Invalid user web from 86.55.5.250
Mar 20 00:16:50 LPSServer3 sshd[11047]: Failed password for invalid user web from 86.55.5.250 port 55936 ssh2
Mar 20 00:16:53 LPSServer3 sshd[11063]: Invalid user web2 from 86.55.5.250
Mar 20 00:16:55 LPSServer3 sshd[11063]: Failed password for invalid user web2 from 86.55.5.250 port 58408 ssh2
Mar 20 00:16:57 LPSServer3 sshd[11076]: Invalid user transfer from 86.55.5.250
Mar 20 00:17:00 LPSServer3 sshd[11076]: Failed password for invalid user transfer from 86.55.5.250 port 60362 ssh2
Mar 20 00:17:02 LPSServer3 sshd[11089]: Invalid user transfer from 86.55.5.250
Mar 20 00:17:04 LPSServer3 sshd[11089]: Failed password for invalid user transfer from 86.55.5.250 port 34136 ssh2
Mar 20 00:17:12 LPSServer3 sshd[11104]: Invalid user invite from 86.55.5.250
Mar 20 00:17:15 LPSServer3 sshd[11104]: Failed password for invalid user invite from 86.55.5.250 port 35971 ssh2

is there a way to detect that this is a hack attempt and stop it in its tracks before it continues on like it is im running game servers on this box and all these constant failed attempts are causing a little bit of lag for me. is there a way to detect the ip and ban it like after 5 failed attempts. i have it set to 3 failed in the sshd config but is that only for failed attempts on one user right? and does it block that ip or that user? im new to linux and the whole firewall thing. this box is hosted so all i have is ssh and ftp and of course webmin. i looked though all the websites listed in that security form posted by unspawn but i couldnt find anything that made since to me if someone could point me to a good website with easy instructions or to a website with software to monitor it i would appreciate it so much thank you in advance for anyone willing to help me on this.

My Box
Fedora Core 4
3800+ 64bit

thanks in advance
Josh

unSpawn · 03-20-2006, 07:43 AM

Please have a look at the sticky thread "Failed SSH login attempts" in this forum for solutions.

[edit]
BTW, thanks for the hint. I updated LQSECREF (Post 6, Securing networked services) with all the relevant links to ssh related access blockers from the "Failed SSH login attempts" thread.
[/edit]

murder · 03-20-2006, 07:52 AM

thanks unspawn i appreciate it