Unknown users are trying to access via ssh
I'm using SuSE 10.0 with SuSE Firewall on my server machine.
Every day I get similar lines on my /var/log/messages: Dec 19 13:27:48 server sshd[7161]: Invalid user rolo from 218.97.247.137 Dec 19 13:27:54 server sshd[7163]: Invalid user iceuser from 218.97.247.137 Dec 19 13:28:01 server sshd[7165]: Invalid user horde from 218.97.247.137 Dec 19 13:28:07 server sshd[7167]: Invalid user cyrus from 218.97.247.137 Dec 19 13:28:13 server sshd[7169]: Invalid user www from 218.97.247.137 Dec 19 13:28:28 server sshd[7173]: Invalid user matt from 218.97.247.137 Dec 19 13:28:35 server sshd[7175]: Invalid user test from 218.97.247.137 Dec 19 13:28:41 server sshd[7177]: Invalid user test from 218.97.247.137 Dec 19 13:28:47 server sshd[7179]: Invalid user test from 218.97.247.137 [...] Is somebody trying to hack my server via ssh? Is it a safe situation? How can I ban this IP? Thank you, gm |
iptables -I INPUT -s [the ip address] -j DROP
If you don't need SSH, don't enable it. Report this attack to dshield.org ... thanks :) |
Quote:
Anyway, I see the attacking IP changes every day. Actually, in some occasion I log on my server via Internet/SSH, so I need it. Should report all the offending IP's I have on my log to dshield.org? |
iptables-save might do that. I forgot what was the actual file where iptables' config are saved.
If you use SSH, make sure to update it to the latest version. Report all the offending IP's to dshield.org. |
|
gattumarrudu:
The following 2 commands will block incoming connections to ssh if the ip address the connections come from have given a failed password more than three times in the last 60 seconds: iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP You can read the full howto on: http://www.debian-administration.org/articles/187 You can adjust the --seconds and --hitcount to your liking. This should solve your problem, and annoy the script-kiddies. Pablo |
Thank you for the exhaustive answers and for the interesting links.
Quote:
I'm quite unexperienced in firewalling, and my iptables skills are below zero (that means, if I do anything I will surely do it in the wrong direction)... |
Or you could change the port SSH listens to ... like to port 23 ;)
Take alot of script kiddies out of the game. |
Quote:
|
ONLY after you have hardened your ssh server (no root, only version 2, only certificates, chroot,...), if you want to hide even more ( against 0days for example), you can have a look here:
http://www.hsc.fr/ressources/breves/secretssh.html.fr I've seen this a couple of years before, I know some secure companies use it. As it is in french, I will quickly explain for the ones who don't read perl natively ;) It uses the port-knocking (marketing term) technique: Your ssh server is not running As soon as your machine receives a packet on a special port with a special sequence number with a special IPID number and speical source port number (2^32*2^16*2^16*2^16 combinations), then it starts the server on port 2222 (2^16 more) for only one session. You connect to it Only possible if you use a modified ssh client/server (perl script on the page) Security by obscurity is a good layer when it is not the only one (harden ssh first) |
You should also do a whois lookup on the IP address and report the intrusion attempt to the domain owner.
|
I've been using http://www.dnsstuff.com/ for all my ip stuff. But even if you do happen do get a good reverse dns lookup most places make it extremely difficult to report abuse... *cough cough*sbc/pacbell*cough cough*
The parent posters IP address seems to result in an infinate loop. http://www.dnsstuff.com/tools/ptr.ch?ip=218.97.247.137 |
|
All times are GMT -5. The time now is 06:02 PM. |