Hello.

I am running a squid server at home and I was looking at my /var/log/auth.log file and found a lot of failed authentication. I noticed someone was running a program against my server trying to log in with different usernames:

Jan 20 11:17:41 debian-router sshd[5287]: Failed password for invalid user nagios from 118.143.232.21 port 43688 ssh2
Jan 20 11:17:46 debian-router sshd[5289]: Invalid user oracle from 118.143.232.21
Jan 20 11:17:46 debian-router sshd[5289]: reverse mapping checking getaddrinfo for d1-21-232-143-118-on-nets.com failed - POSSIBLE BREAK-IN ATTEMPT!


Jan 20 15:51:43 debian-router sshd[6090]: Failed password for invalid user scanner from 81.23.114.14 port 55133 ssh2
Jan 20 15:51:45 debian-router sshd[6092]: Invalid user work from 81.23.114.14


Jan 20 15:51:22 debian-router sshd[6080]: Failed password for invalid user music from 81.23.114.14 port 53957 ssh2
Jan 20 15:51:24 debian-router sshd[6082]: Invalid user test from 81.23.114.14


There are thousands of these.

What step should I take next to prevent this.

Thanks in advanced for your help.

disable ssh
Let sshd listen on another port (2222)
anoher option is to use
fail2ban
this will block the IP after x invalid attempts.

I did just that I have sshd listen on a different port. Let's see how that works. I will check fail2ban.

Thanks.

Look at the back of your computer and you'll find a cable which connects it to the Internet. Unplug that cable! Seriously, that's the only way you'll stop it. This is just script kiddie stuff, looking for usernames that may exist on your system and may have weak passwords. Like that user nagios, nagios is some network monitoring software and I'm guessing there may be a default account it sets up with the username nagios.

What you can do is put stuff in place to minimize the risk of someone getting in. Some such measures are:

- Use strong passwords. No dictionary words (happiness - the feeling someone got recently after running a brute force dictionary attach on a Twitter account recently - Google for more info.)

- Disable root logins via ssh if you haven't already.

- If it's feasible, restrict where you accept ssh connections from. Do you need to be able to login via ssh from anywhere in the world, or just from other machines on your home network?

- Make your ssh daemon listen on a different port other than 22.

- Increase the delay after a failed login attempt until another login attempt can be made.

all of the above are great suggestions. I would also suggest only allowing key logins, no passwords. had the same problem with my pet server that i left at the office with an outside line for a couple weeks.

If ssh logins are strictly only from within the local network, you could also firewall off your SSH port to none-internal ips.

For a complete roundup of options please also see http://www.linuxquestions.org/questi...tempts-340366/.

I use denyhosts. I automatically adds the hack source to hosts.deny after 4 failed login attempts. Works great. I get about 5 different source attempts per day. Just too many Window zombies out there.

Moved: This thread is more suitable in <SECURITY> and has been moved accordingly to help your thread/question get the exposure it deserves.

I changed the sshd port to 2222 and disabled root logins. After changing the port, I haven't had any weird login attempt.

I added a simple iptables rule to my machine to block the brute force attacks. It took them from about 125k/day to about 100/day.

Basically if someone hits ssh 3 times in 60 seconds it blocks them until there are at least 60 seconds of quiet time from their address. It's quickly become one of my favorite iptables rules.

In addition, changing the port, disabling root logins, port knocking, and use key auth instead of password auth will all make you more secure.

Hello,

If you are that much worried about wrong password attempts.. Why don't you configure your ssh server for RSA public key authentication.. ?

One of the best solutions

Disable PasswordAuthentication=no
Enable PublicKayAuthentication=yes

Change your ssh default prot from 22 to xxxxx

Disable rootlogin..


I this this is the best solution for not finding "failed login attempt" in /var/log/secure, because it will never ask someone for password.

I have already written a blog for this purpose.. consult my 2nd blog for that if you see it worth seeing..

Cheers!!