LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-19-2005, 02:10 PM   #1
gattumarrudu
LQ Newbie
 
Registered: Mar 2004
Location: Sardinia (Italy)
Distribution: Gentoo / SuSE
Posts: 15

Rep: Reputation: 0
Unknown users are trying to access via ssh


I'm using SuSE 10.0 with SuSE Firewall on my server machine.
Every day I get similar lines on my /var/log/messages:

Dec 19 13:27:48 server sshd[7161]: Invalid user rolo from 218.97.247.137
Dec 19 13:27:54 server sshd[7163]: Invalid user iceuser from 218.97.247.137
Dec 19 13:28:01 server sshd[7165]: Invalid user horde from 218.97.247.137
Dec 19 13:28:07 server sshd[7167]: Invalid user cyrus from 218.97.247.137
Dec 19 13:28:13 server sshd[7169]: Invalid user www from 218.97.247.137
Dec 19 13:28:28 server sshd[7173]: Invalid user matt from 218.97.247.137
Dec 19 13:28:35 server sshd[7175]: Invalid user test from 218.97.247.137
Dec 19 13:28:41 server sshd[7177]: Invalid user test from 218.97.247.137
Dec 19 13:28:47 server sshd[7179]: Invalid user test from 218.97.247.137

[...]

Is somebody trying to hack my server via ssh?

Is it a safe situation?

How can I ban this IP?

Thank you,
gm
 
Old 12-19-2005, 02:32 PM   #2
mimithebrain
Member
 
Registered: Nov 2003
Location: ~
Distribution: Ubuntu 10.04
Posts: 843
Blog Entries: 1

Rep: Reputation: 30
iptables -I INPUT -s [the ip address] -j DROP

If you don't need SSH, don't enable it. Report this attack to dshield.org ... thanks
 
Old 12-19-2005, 02:44 PM   #3
gattumarrudu
LQ Newbie
 
Registered: Mar 2004
Location: Sardinia (Italy)
Distribution: Gentoo / SuSE
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by mimithebrain
iptables -I INPUT -s [the ip address] -j DROP
How do I make this change permanent every time I boot?
Anyway, I see the attacking IP changes every day.

Actually, in some occasion I log on my server via Internet/SSH, so I need it.

Should report all the offending IP's I have on my log to dshield.org?
 
Old 12-19-2005, 03:09 PM   #4
mimithebrain
Member
 
Registered: Nov 2003
Location: ~
Distribution: Ubuntu 10.04
Posts: 843
Blog Entries: 1

Rep: Reputation: 30
iptables-save might do that. I forgot what was the actual file where iptables' config are saved.

If you use SSH, make sure to update it to the latest version.

Report all the offending IP's to dshield.org.
 
Old 12-19-2005, 03:22 PM   #5
int0x80
Member
 
Registered: Sep 2002
Posts: 310

Rep: Reputation: Disabled
http://www.linuxquestions.org/questi...d.php?t=340366
 
Old 12-19-2005, 07:05 PM   #6
WindowBreaker
Member
 
Registered: Oct 2005
Distribution: Slackware
Posts: 228

Rep: Reputation: 40
gattumarrudu:

The following 2 commands will block incoming connections to ssh if the ip address the connections come from have given a failed password more than three times in the last 60 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

You can read the full howto on:
http://www.debian-administration.org/articles/187

You can adjust the --seconds and --hitcount to your liking.

This should solve your problem, and annoy the script-kiddies.

Pablo
 
Old 12-20-2005, 02:20 AM   #7
gattumarrudu
LQ Newbie
 
Registered: Mar 2004
Location: Sardinia (Italy)
Distribution: Gentoo / SuSE
Posts: 15

Original Poster
Rep: Reputation: 0
Thank you for the exhaustive answers and for the interesting links.

Quote:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
How do you translate this in a, let's say, SuSEFirewall config file?
I'm quite unexperienced in firewalling, and my iptables skills are below zero (that means, if I do anything I will surely do it in the wrong direction)...
 
Old 12-20-2005, 04:01 AM   #8
denver1980
Member
 
Registered: Dec 2004
Location: Québec
Distribution: Gentoo, Kubuntu Karmic
Posts: 48

Rep: Reputation: 15
Or you could change the port SSH listens to ... like to port 23
Take alot of script kiddies out of the game.
 
Old 12-20-2005, 04:07 AM   #9
jrbush82
Member
 
Registered: Mar 2002
Location: Hampton, VA
Posts: 86

Rep: Reputation: 15
Quote:
Originally Posted by denver1980
Or you could change the port SSH listens to ... like to port 23
Take alot of script kiddies out of the game.
Same difference, SSH vs Telnet. I run my SSH server on a non-standard SSH port, 2222 is easy, and cuts down on the login attempts by a lot. People will still do port scans on you and such and identify it as a listening port, but that is just part of having a system connected to the Internet. Keep your system updated/patched and disable any unused accounts. Aside from that, and using good passwords, you should be good.
 
Old 12-20-2005, 08:13 AM   #10
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
ONLY after you have hardened your ssh server (no root, only version 2, only certificates, chroot,...), if you want to hide even more ( against 0days for example), you can have a look here:

http://www.hsc.fr/ressources/breves/secretssh.html.fr

I've seen this a couple of years before, I know some secure companies use it.
As it is in french, I will quickly explain for the ones who don't read perl natively

It uses the port-knocking (marketing term) technique:

Your ssh server is not running
As soon as your machine receives a packet on a special port with a special sequence number with a special IPID number and speical source port number (2^32*2^16*2^16*2^16 combinations), then it starts the server on port 2222 (2^16 more) for only one session.
You connect to it

Only possible if you use a modified ssh client/server (perl script on the page)

Security by obscurity is a good layer when it is not the only one (harden ssh first)
 
Old 12-20-2005, 11:08 AM   #11
UK MAdMaN
Member
 
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211

Rep: Reputation: 30
You should also do a whois lookup on the IP address and report the intrusion attempt to the domain owner.
 
Old 12-22-2005, 12:29 AM   #12
megaspaz
Senior Member
 
Registered: Nov 2002
Location: Silly Con Valley
Distribution: Red Hat 7.3, Red Hat 9.0
Posts: 2,054

Rep: Reputation: 46
I've been using http://www.dnsstuff.com/ for all my ip stuff. But even if you do happen do get a good reverse dns lookup most places make it extremely difficult to report abuse... *cough cough*sbc/pacbell*cough cough*

The parent posters IP address seems to result in an infinate loop.

http://www.dnsstuff.com/tools/ptr.ch?ip=218.97.247.137

Last edited by megaspaz; 12-22-2005 at 12:32 AM.
 
Old 12-22-2005, 07:25 AM   #13
UK MAdMaN
Member
 
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211

Rep: Reputation: 30
http://www.dnsstuff.com/tools/whois....7.137&email=on
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix/Unknown Users ]SK[ Linux - Software 1 07-05-2005 05:24 PM
limiting users who can gain ftp or ssh access bluefmc427 Linux - Security 1 07-03-2003 04:17 AM
unknown users..... anoop_chandran Linux - Security 8 07-12-2002 08:50 AM
unknown users loganwva Linux - Security 8 06-05-2002 04:22 PM
sendmail -- Unknown users Gavin Linux - Networking 3 01-24-2002 01:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration