Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-19-2005, 02:10 PM
|
#1
|
|
LQ Newbie
Registered: Mar 2004
Location: Sardinia (Italy)
Distribution: Gentoo / SuSE
Posts: 15
Rep: 
|
Unknown users are trying to access via ssh
I'm using SuSE 10.0 with SuSE Firewall on my server machine.
Every day I get similar lines on my /var/log/messages:
Dec 19 13:27:48 server sshd[7161]: Invalid user rolo from 218.97.247.137
Dec 19 13:27:54 server sshd[7163]: Invalid user iceuser from 218.97.247.137
Dec 19 13:28:01 server sshd[7165]: Invalid user horde from 218.97.247.137
Dec 19 13:28:07 server sshd[7167]: Invalid user cyrus from 218.97.247.137
Dec 19 13:28:13 server sshd[7169]: Invalid user www from 218.97.247.137
Dec 19 13:28:28 server sshd[7173]: Invalid user matt from 218.97.247.137
Dec 19 13:28:35 server sshd[7175]: Invalid user test from 218.97.247.137
Dec 19 13:28:41 server sshd[7177]: Invalid user test from 218.97.247.137
Dec 19 13:28:47 server sshd[7179]: Invalid user test from 218.97.247.137
[...]
Is somebody trying to hack my server via ssh?
Is it a safe situation?
How can I ban this IP?
Thank you,
gm
|
|
|
|
|
12-19-2005, 02:32 PM
|
#2
|
|
Member
Registered: Nov 2003
Location: ~
Distribution: Ubuntu 10.04
Posts: 843
Rep: 
|
iptables -I INPUT -s [the ip address] -j DROP
If you don't need SSH, don't enable it. Report this attack to dshield.org ... thanks  |
|
|
|
|
12-19-2005, 02:44 PM
|
#3
|
|
LQ Newbie
Registered: Mar 2004
Location: Sardinia (Italy)
Distribution: Gentoo / SuSE
Posts: 15
Original Poster
Rep:
|
Quote:
|
Originally Posted by mimithebrain
iptables -I INPUT -s [the ip address] -j DROP
|
How do I make this change permanent every time I boot?
Anyway, I see the attacking IP changes every day.
Actually, in some occasion I log on my server via Internet/SSH, so I need it.
Should report all the offending IP's I have on my log to dshield.org? |
|
|
|
|
12-19-2005, 03:09 PM
|
#4
|
|
Member
Registered: Nov 2003
Location: ~
Distribution: Ubuntu 10.04
Posts: 843
Rep:
|
iptables-save might do that. I forgot what was the actual file where iptables' config are saved.
If you use SSH, make sure to update it to the latest version.
Report all the offending IP's to dshield.org.
|
|
|
|
|
12-19-2005, 03:22 PM
|
#5
|
|
Member
Registered: Sep 2002
Posts: 310
Rep: 
|
|
|
|
|
|
12-19-2005, 07:05 PM
|
#6
|
|
Member
Registered: Oct 2005
Distribution: Slackware
Posts: 228
Rep:
|
gattumarrudu:
The following 2 commands will block incoming connections to ssh if the ip address the connections come from have given a failed password more than three times in the last 60 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
You can read the full howto on:
http://www.debian-administration.org/articles/187
You can adjust the --seconds and --hitcount to your liking.
This should solve your problem, and annoy the script-kiddies.
Pablo |
|
|
|
|
12-20-2005, 02:20 AM
|
#7
|
|
LQ Newbie
Registered: Mar 2004
Location: Sardinia (Italy)
Distribution: Gentoo / SuSE
Posts: 15
Original Poster
Rep:
|
Thank you for the exhaustive answers and for the interesting links.
Quote:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
|
How do you translate this in a, let's say, SuSEFirewall config file?
I'm quite unexperienced in firewalling, and my iptables skills are below zero (that means, if I do anything I will surely do it in the wrong direction)... |
|
|
|
|
12-20-2005, 04:01 AM
|
#8
|
|
Member
Registered: Dec 2004
Location: Québec
Distribution: Gentoo, Kubuntu Karmic
Posts: 48
Rep:
|
Or you could change the port SSH listens to ... like to port 23 
Take alot of script kiddies out of the game. |
|
|
|
|
12-20-2005, 04:07 AM
|
#9
|
|
Member
Registered: Mar 2002
Location: Hampton, VA
Posts: 86
Rep:
|
Quote:
|
Originally Posted by denver1980
Or you could change the port SSH listens to ... like to port 23
Take alot of script kiddies out of the game. |
Same difference, SSH vs Telnet. I run my SSH server on a non-standard SSH port, 2222 is easy, and cuts down on the login attempts by a lot. People will still do port scans on you and such and identify it as a listening port, but that is just part of having a system connected to the Internet. Keep your system updated/patched and disable any unused accounts. Aside from that, and using good passwords, you should be good. |
|
|
|
|
12-20-2005, 08:13 AM
|
#10
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
ONLY after you have hardened your ssh server (no root, only version 2, only certificates, chroot,...), if you want to hide even more ( against 0days for example), you can have a look here:
http://www.hsc.fr/ressources/breves/secretssh.html.fr
I've seen this a couple of years before, I know some secure companies use it.
As it is in french, I will quickly explain for the ones who don't read perl natively
It uses the port-knocking (marketing term) technique:
Your ssh server is not running
As soon as your machine receives a packet on a special port with a special sequence number with a special IPID number and speical source port number (2^32*2^16*2^16*2^16 combinations), then it starts the server on port 2222 (2^16 more) for only one session.
You connect to it
Only possible if you use a modified ssh client/server (perl script on the page)
Security by obscurity is a good layer when it is not the only one (harden ssh first) |
|
|
|
|
12-20-2005, 11:08 AM
|
#11
|
|
Member
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211
Rep:
|
You should also do a whois lookup on the IP address and report the intrusion attempt to the domain owner.
|
|
|
|
|
12-22-2005, 12:29 AM
|
#12
|
|
Senior Member
Registered: Nov 2002
Location: Silly Con Valley
Distribution: Red Hat 7.3, Red Hat 9.0
Posts: 2,054
Rep:
|
I've been using http://www.dnsstuff.com/ for all my ip stuff. But even if you do happen do get a good reverse dns lookup most places make it extremely difficult to report abuse... *cough cough*sbc/pacbell*cough cough*
The parent posters IP address seems to result in an infinate loop.
http://www.dnsstuff.com/tools/ptr.ch?ip=218.97.247.137
Last edited by megaspaz; 12-22-2005 at 12:32 AM.
|
|
|
|
|
12-22-2005, 07:25 AM
|
#13
|
|
Member
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211
Rep:
|
|
|
|
|
All times are GMT -5. The time now is 03:05 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
