LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-24-2006, 05:53 AM   #1
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Rep: Reputation: 15
What is the best way to secure SSH?


I have currently BFD installed and it bans the person temporary and he or she manages to get through to my server after a while and changes the passwords. I would like to know what other methods are there apart from BFD and Public Key Authentication into securing SSH so that this never happens again?
 
Old 12-24-2006, 06:09 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
Are you sure they're getting in through SSH originally? It's a lot more likely that someone is exploiting poor security on a PHP script or other web application. If they really are gaining entry through SSH, it's probably because PasswordAuthentication is still set to on and you have some accounts with very easily-guessed passwords.
 
Old 12-24-2006, 06:09 AM   #3
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
this:
http://www.ietf.org/rfc/rfc4252.txt

is all ssh authentication methods.

since I wanted to restrict su access to limited users, thereby stopping exactly this type of issue, I asked on the openssh email list about only enabling su ability to specific users, this was the response that helped me get the configuration I wanted:

The idea being to limit su access
> to
> > only those who have used a public / private key
> pair
> > for authentication.
>
> Easy... Compile sshd with the match keyword patch
> (http://bugzilla.mindrot.org/show_bug.cgi?id=1180),
> and use it to ensure
> that members of the admin group can only log in
> using public/private key
> authentication.
>
> Also make these users a member of the wheel group,
> and ensure that only
> they can su - check out /etc/pam.d/su.
>
> For example, in /etc/ssh/sshd_config add:
>
> Match Group admins
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponseAuthentication no
>
> In /etc/pam.d/su ensure the following is
> uncommented:
>
> # Uncomment the following line to require a user to
> be in the "wheel" group.
> auth required
> /lib/security/$ISA/pam_wheel.so use_uid
>
> I use this method to ensure that admins can only log
> in using
> public/private keys and have access to perform admin
> functions while
> (hopefully) ensuring that "normal" users cannot mess
> about.
>
> This also has the advantage that if any user uploads
> their own keys to
> ~/.ssh that they will not be able to gain admin
> rights!!!
>
 
Old 12-24-2006, 07:56 PM   #4
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
This is the log from BFD and this is what it is saying

The following are event logs from 71.159.204.121 on service sshd (all time stamps are GMT -0600):

Dec 24 04:56:39 cpanel sshd[442]: Failed password for invalid user postfix from ::ffff:71.159.204.121 port 42379 ssh2
Dec 24 10:56:39 cpanel sshd[443]: Failed password for invalid user postfix from ::ffff:71.159.204.121 port 42379 ssh2
Dec 24 10:56:39 cpanel sshd[443]: Received disconnect from ::ffff:71.159.204.121: 11: Bye Bye
Dec 24 04:56:39 cpanel sshd[444]: Invalid user postfix from ::ffff:71.159.204.121
Dec 24 04:56:42 cpanel sshd[444]: Failed password for invalid user postfix from ::ffff:71.159.204.121 port 42484 ssh2
Dec 24 10:56:42 cpanel sshd[445]: Failed password for invalid user postfix from ::ffff:71.159.204.121 port 42484 ssh2
Dec 24 10:56:42 cpanel sshd[445]: Received disconnect from ::ffff:71.159.204.121: 11: Bye Bye
Dec 24 04:56:45 cpanel sshd[446]: Failed password for adm from ::ffff:71.159.204.121 port 42585 ssh2
Dec 24 10:56:45 cpanel sshd[447]: Failed password for adm from ::ffff:71.159.204.121 port 42585 ssh2
Dec 24 10:56:45 cpanel sshd[447]: Received disconnect from ::ffff:71.159.204.121: 11: Bye Bye
Dec 24 04:56:48 cpanel sshd[448]: Failed password for adm from ::ffff:71.159.204.121 port 42688 ssh2
Dec 24 10:56:48 cpanel sshd[449]: Failed password for adm from ::ffff:71.159.204.121 port 42688 ssh2
Dec 24 10:56:48 cpanel sshd[449]: Received disconnect from ::ffff:71.159.204.121: 11: Bye Bye
Dec 24 04:56:51 cpanel sshd[450]: Failed password for adm from ::ffff:71.159.204.121 port 42790 ssh2
Dec 24 10:56:51 cpanel sshd[451]: Failed password for adm from ::ffff:71.159.204.121 port 42790 ssh2
Dec 24 10:56:51 cpanel sshd[451]: Received disconnect from ::ffff:71.159.204.121: 11: Bye Bye
Dec 24 04:56:53 cpanel sshd[454]: Failed password for adm from ::ffff:71.159.204.121 port 42894 ssh2
Dec 24 10:56:53 cpanel sshd[455]: Failed password for adm from ::ffff:71.159.204.121 port 42894 ssh2
Dec 24 10:56:54 cpanel sshd[455]: Received disconnect from ::ffff:71.159.204.121: 11: Bye Bye
Dec 24 04:56:56 cpanel sshd[456]: Failed password for adm from ::ffff:71.159.204.121 port 42994 ssh2
Dec 24 10:56:56 cpanel sshd[457]: Failed password for adm from ::ffff:71.159.204.121 port 42994 ssh2
 
Old 12-25-2006, 02:19 AM   #5
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
Quote:
Originally Posted by punjabipredator
This is the log from BFD and this is what it is saying

The following are event logs from 71.159.204.121 on service sshd (all time stamps are GMT -0600):

Dec 24 04:56:39 cpanel sshd[442]: Failed password for invalid user postfix from ::ffff:71.159.204.121 port 42379 ssh2
postfix, an email server account.
there is zero reason for postfix to login to ssh.
if you don't use postfix mta yourself, then you can deny postfix access to your system completely through the configuration, deny access to the user name completely to ssh.
 
Old 12-25-2006, 03:54 AM   #6
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
The problem is they use different names and alot of ip addresses and when they do manage to get in after a lot of attempts they change the password and then i change it back. I had alot of problems with one server i had it shut down and the attacks have been less but still happening

Dec 25 03:08:46 cpanel sshd[6388]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:08:46 cpanel sshd[6385]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:47 cpanel sshd[6382]: Invalid user library from ::ffff:61.12.4.252
Dec 25 03:08:47 cpanel sshd[6382]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:08:47 cpanel sshd[6394]: Connection closed by ::ffff:61.12.4.252
Dec 25 03:08:48 cpanel sshd[6391]: Invalid user shell from ::ffff:61.12.4.252
Dec 25 03:08:48 cpanel sshd[6391]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:48 cpanel sshd[6386]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51102 ssh2
Dec 25 09:08:48 cpanel sshd[6387]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51102 ssh2
Dec 25 09:08:48 cpanel sshd[6387]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:48 cpanel sshd[6388]: Failed password for invalid user library from ::ffff:61.12.4.252 port 51107 ssh2
Dec 25 09:08:48 cpanel sshd[6389]: Failed password for invalid user library from ::ffff:61.12.4.252 port 51107 ssh2
Dec 25 03:08:48 cpanel sshd[6393]: Invalid user info from ::ffff:61.12.4.252
Dec 25 03:08:48 cpanel sshd[6393]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:08:49 cpanel sshd[6389]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:49 cpanel sshd[6395]: Invalid user shell from ::ffff:61.12.4.252
Dec 25 03:08:49 cpanel sshd[6395]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:49 cpanel sshd[6382]: Failed password for invalid user library from ::ffff:61.12.4.252 port 51059 ssh2
Dec 25 09:08:49 cpanel sshd[6390]: Failed password for invalid user library from ::ffff:61.12.4.252 port 51059 ssh2
Dec 25 09:08:49 cpanel sshd[6390]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:50 cpanel sshd[6391]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51131 ssh2
Dec 25 09:08:50 cpanel sshd[6392]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51131 ssh2
Dec 25 09:08:50 cpanel sshd[6392]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:51 cpanel sshd[6402]: Invalid user linux from ::ffff:61.12.4.252
Dec 25 03:08:51 cpanel sshd[6402]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:51 cpanel sshd[6393]: Failed password for invalid user info from ::ffff:61.12.4.252 port 51148 ssh2
Dec 25 09:08:51 cpanel sshd[6396]: Failed password for invalid user info from ::ffff:61.12.4.252 port 51148 ssh2
Dec 25 03:08:51 cpanel sshd[6395]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51157 ssh2
Dec 25 09:08:51 cpanel sshd[6401]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51157 ssh2
Dec 25 09:08:51 cpanel sshd[6396]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 09:08:51 cpanel sshd[6401]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:52 cpanel sshd[6406]: Invalid user info from ::ffff:61.12.4.252
Dec 25 03:08:52 cpanel sshd[6406]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:52 cpanel sshd[6404]: Invalid user info from ::ffff:61.12.4.252
Dec 25 03:08:52 cpanel sshd[6404]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:53 cpanel sshd[6408]: Invalid user linux from ::ffff:61.12.4.252
Dec 25 03:08:53 cpanel sshd[6408]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:53 cpanel sshd[6402]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51183 ssh2
Dec 25 09:08:53 cpanel sshd[6403]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51183 ssh2
Dec 25 09:08:53 cpanel sshd[6403]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:53 cpanel sshd[6410]: Invalid user shell from ::ffff:61.12.4.252
Dec 25 03:08:53 cpanel sshd[6410]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:54 cpanel sshd[6411]: Invalid user linux from ::ffff:61.12.4.252
Dec 25 03:08:54 cpanel sshd[6411]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:54 cpanel sshd[6406]: Failed password for invalid user info from ::ffff:61.12.4.252 port 51200 ssh2
Dec 25 09:08:54 cpanel sshd[6407]: Failed password for invalid user info from ::ffff:61.12.4.252 port 51200 ssh2
Dec 25 03:08:54 cpanel sshd[6404]: Failed password for invalid user info from ::ffff:61.12.4.252 port 51189 ssh2
Dec 25 09:08:54 cpanel sshd[6405]: Failed password for invalid user info from ::ffff:61.12.4.252 port 51189 ssh2
Dec 25 09:08:54 cpanel sshd[6407]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:55 cpanel sshd[6408]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51212 ssh2
Dec 25 09:08:55 cpanel sshd[6409]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51212 ssh2
Dec 25 09:08:55 cpanel sshd[6409]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 09:08:56 cpanel sshd[6405]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:56 cpanel sshd[6414]: Invalid user unix from ::ffff:61.12.4.252
Dec 25 03:08:56 cpanel sshd[6414]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:56 cpanel sshd[6410]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51231 ssh2
Dec 25 09:08:56 cpanel sshd[6412]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51231 ssh2
Dec 25 09:08:56 cpanel sshd[6412]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:56 cpanel sshd[6411]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51238 ssh2
Dec 25 09:08:56 cpanel sshd[6413]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51238 ssh2
Dec 25 09:08:56 cpanel sshd[6413]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:57 cpanel sshd[6416]: Invalid user shell from ::ffff:61.12.4.252
Dec 25 03:08:57 cpanel sshd[6416]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:58 cpanel sshd[6418]: Invalid user unix from ::ffff:61.12.4.252
Dec 25 03:08:58 cpanel sshd[6418]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:58 cpanel sshd[6414]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51271 ssh2
Dec 25 09:08:58 cpanel sshd[6415]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51271 ssh2
Dec 25 03:08:58 cpanel sshd[6419]: Invalid user shell from ::ffff:61.12.4.252
Dec 25 03:08:58 cpanel sshd[6419]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:08:58 cpanel sshd[6415]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:08:59 cpanel sshd[6422]: Invalid user linux from ::ffff:61.12.4.252
Dec 25 03:08:59 cpanel sshd[6422]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:08:59 cpanel sshd[6416]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51287 ssh2
Dec 25 09:08:59 cpanel sshd[6417]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51287 ssh2
Dec 25 09:09:00 cpanel sshd[6417]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:00 cpanel sshd[6418]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51306 ssh2
Dec 25 09:09:00 cpanel sshd[6420]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51306 ssh2
Dec 25 09:09:00 cpanel sshd[6420]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:00 cpanel sshd[6419]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51309 ssh2
Dec 25 09:09:00 cpanel sshd[6421]: Failed password for invalid user shell from ::ffff:61.12.4.252 port 51309 ssh2
Dec 25 03:09:01 cpanel sshd[6426]: Invalid user webadmin from ::ffff:61.12.4.252
Dec 25 03:09:01 cpanel sshd[6426]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:09:01 cpanel sshd[6421]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:01 cpanel sshd[6422]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51319 ssh2
Dec 25 09:09:01 cpanel sshd[6423]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51319 ssh2
Dec 25 09:09:01 cpanel sshd[6423]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:02 cpanel sshd[6428]: Invalid user linux from ::ffff:61.12.4.252
Dec 25 03:09:02 cpanel sshd[6428]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:03 cpanel sshd[6426]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51353 ssh2
Dec 25 09:09:03 cpanel sshd[6427]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51353 ssh2
Dec 25 03:09:03 cpanel sshd[6451]: Invalid user webadmin from ::ffff:61.12.4.252
Dec 25 03:09:03 cpanel sshd[6451]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:09:03 cpanel sshd[6427]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:04 cpanel sshd[6428]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51370 ssh2
Dec 25 09:09:04 cpanel sshd[6429]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51370 ssh2
Dec 25 09:09:05 cpanel sshd[6429]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:05 cpanel sshd[6453]: Invalid user linux from ::ffff:61.12.4.252
Dec 25 03:09:05 cpanel sshd[6453]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:05 cpanel sshd[6451]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51385 ssh2
Dec 25 09:09:05 cpanel sshd[6452]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51385 ssh2
Dec 25 03:09:05 cpanel sshd[6455]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:05 cpanel sshd[6424]: Invalid user unix from ::ffff:61.12.4.252
Dec 25 03:09:05 cpanel sshd[6424]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:09:06 cpanel sshd[6452]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:06 cpanel sshd[6457]: Invalid user unix from ::ffff:61.12.4.252
Dec 25 03:09:06 cpanel sshd[6457]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:07 cpanel sshd[6459]: Invalid user unix from ::ffff:61.12.4.252
Dec 25 03:09:07 cpanel sshd[6459]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:07 cpanel sshd[6453]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51391 ssh2
Dec 25 09:09:07 cpanel sshd[6454]: Failed password for invalid user linux from ::ffff:61.12.4.252 port 51391 ssh2
Dec 25 09:09:08 cpanel sshd[6454]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:08 cpanel sshd[6455]: Failed password for ftp from ::ffff:61.12.4.252 port 51428 ssh2
Dec 25 09:09:08 cpanel sshd[6456]: Failed password for ftp from ::ffff:61.12.4.252 port 51428 ssh2
Dec 25 03:09:08 cpanel sshd[6424]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51326 ssh2
Dec 25 09:09:08 cpanel sshd[6425]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51326 ssh2
Dec 25 09:09:08 cpanel sshd[6425]: Connection closed by ::ffff:61.12.4.252
Dec 25 09:09:08 cpanel sshd[6456]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:09 cpanel sshd[6457]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51397 ssh2
Dec 25 09:09:09 cpanel sshd[6458]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51397 ssh2
Dec 25 03:09:09 cpanel sshd[6461]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 09:09:09 cpanel sshd[6458]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:09 cpanel sshd[6459]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51459 ssh2
Dec 25 09:09:09 cpanel sshd[6460]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51459 ssh2
Dec 25 09:09:10 cpanel sshd[6460]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:10 cpanel sshd[6463]: Invalid user unix from ::ffff:61.12.4.252
Dec 25 03:09:10 cpanel sshd[6463]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:10 cpanel sshd[6465]: Invalid user test from ::ffff:61.12.4.252
Dec 25 03:09:10 cpanel sshd[6465]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:11 cpanel sshd[6467]: Invalid user webadmin from ::ffff:61.12.4.252
Dec 25 03:09:11 cpanel sshd[6467]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:11 cpanel sshd[6461]: Failed password for ftp from ::ffff:61.12.4.252 port 51474 ssh2
Dec 25 09:09:11 cpanel sshd[6462]: Failed password for ftp from ::ffff:61.12.4.252 port 51474 ssh2
Dec 25 09:09:12 cpanel sshd[6462]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:12 cpanel sshd[6469]: Invalid user webadmin from ::ffff:61.12.4.252
Dec 25 03:09:12 cpanel sshd[6469]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:12 cpanel sshd[6463]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51513 ssh2
Dec 25 09:09:12 cpanel sshd[6464]: Failed password for invalid user unix from ::ffff:61.12.4.252 port 51513 ssh2
Dec 25 09:09:13 cpanel sshd[6464]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:13 cpanel sshd[6465]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51518 ssh2
Dec 25 09:09:13 cpanel sshd[6466]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51518 ssh2
Dec 25 09:09:13 cpanel sshd[6466]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:14 cpanel sshd[6467]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51530 ssh2
Dec 25 09:09:14 cpanel sshd[6468]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51530 ssh2
Dec 25 09:09:14 cpanel sshd[6468]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:14 cpanel sshd[6469]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51544 ssh2
Dec 25 09:09:14 cpanel sshd[6470]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51544 ssh2
Dec 25 09:09:15 cpanel sshd[6470]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:16 cpanel sshd[6474]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:17 cpanel sshd[6471]: Invalid user test from ::ffff:61.12.4.252
Dec 25 03:09:17 cpanel sshd[6471]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:17 cpanel sshd[6476]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:18 cpanel sshd[6474]: Failed password for root from ::ffff:61.12.4.252 port 51609 ssh2
Dec 25 09:09:18 cpanel sshd[6475]: Failed password for root from ::ffff:61.12.4.252 port 51609 ssh2
Dec 25 09:09:18 cpanel sshd[6475]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:18 cpanel sshd[6472]: Invalid user webadmin from ::ffff:61.12.4.252
Dec 25 03:09:18 cpanel sshd[6472]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:19 cpanel sshd[6471]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51578 ssh2
Dec 25 09:09:19 cpanel sshd[6478]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51578 ssh2
Dec 25 03:09:20 cpanel sshd[6476]: Failed password for ftp from ::ffff:61.12.4.252 port 51624 ssh2
Dec 25 09:09:20 cpanel sshd[6477]: Failed password for ftp from ::ffff:61.12.4.252 port 51624 ssh2
Dec 25 09:09:20 cpanel sshd[6478]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 09:09:20 cpanel sshd[6477]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:21 cpanel sshd[6481]: Invalid user admin from ::ffff:61.12.4.252
Dec 25 03:09:21 cpanel sshd[6481]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:21 cpanel sshd[6472]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51599 ssh2
Dec 25 09:09:21 cpanel sshd[6473]: Failed password for invalid user webadmin from ::ffff:61.12.4.252 port 51599 ssh2
Dec 25 09:09:21 cpanel sshd[6473]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:22 cpanel sshd[6479]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:22 cpanel sshd[6483]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:23 cpanel sshd[6481]: Failed password for invalid user admin from ::ffff:61.12.4.252 port 51689 ssh2
Dec 25 09:09:23 cpanel sshd[6482]: Failed password for invalid user admin from ::ffff:61.12.4.252 port 51689 ssh2
Dec 25 09:09:23 cpanel sshd[6482]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:24 cpanel sshd[6479]: Failed password for ftp from ::ffff:61.12.4.252 port 51640 ssh2
Dec 25 09:09:24 cpanel sshd[6480]: Failed password for ftp from ::ffff:61.12.4.252 port 51640 ssh2
Dec 25 09:09:24 cpanel sshd[6480]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:25 cpanel sshd[6483]: Failed password for root from ::ffff:61.12.4.252 port 51719 ssh2
Dec 25 09:09:25 cpanel sshd[6484]: Failed password for root from ::ffff:61.12.4.252 port 51719 ssh2
Dec 25 09:09:25 cpanel sshd[6484]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:25 cpanel sshd[6485]: Invalid user test from ::ffff:61.12.4.252
Dec 25 03:09:25 cpanel sshd[6485]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:27 cpanel sshd[6488]: Invalid user test from ::ffff:61.12.4.252
Dec 25 03:09:27 cpanel sshd[6488]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:28 cpanel sshd[6491]: Invalid user admin from ::ffff:61.12.4.252
Dec 25 03:09:28 cpanel sshd[6491]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:28 cpanel sshd[6487]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:28 cpanel sshd[6485]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51721 ssh2
Dec 25 09:09:28 cpanel sshd[6486]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51721 ssh2
Dec 25 09:09:28 cpanel sshd[6486]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:29 cpanel sshd[6493]: Invalid user guest from ::ffff:61.12.4.252
Dec 25 03:09:29 cpanel sshd[6493]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:29 cpanel sshd[6488]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51780 ssh2
Dec 25 09:09:29 cpanel sshd[6490]: Failed password for invalid user test from ::ffff:61.12.4.252 port 51780 ssh2
Dec 25 09:09:29 cpanel sshd[6490]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:30 cpanel sshd[6491]: Failed password for invalid user admin from ::ffff:61.12.4.252 port 51796 ssh2
Dec 25 09:09:30 cpanel sshd[6492]: Failed password for invalid user admin from ::ffff:61.12.4.252 port 51796 ssh2
Dec 25 03:09:30 cpanel sshd[6487]: Failed password for ftp from ::ffff:61.12.4.252 port 51741 ssh2
Dec 25 09:09:30 cpanel sshd[6489]: Failed password for ftp from ::ffff:61.12.4.252 port 51741 ssh2
Dec 25 09:09:30 cpanel sshd[6492]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 09:09:30 cpanel sshd[6489]: Received disconnect from ::ffff:61.12.4.252: 11: Bye Bye
Dec 25 03:09:31 cpanel sshd[6493]: Failed password for invalid user guest from ::ffff:61.12.4.252 port 51772 ssh2
Dec 25 09:09:31 cpanel sshd[6494]: Failed password for invalid user guest from ::ffff:61.12.4.252 port 51772 ssh2
Dec 25 09:09:33 cpanel sshd[6494]: Connection closed by ::ffff:61.12.4.252
Dec 25 03:09:34 cpanel sshd[6499]: Invalid user test from ::ffff:61.12.4.252
Dec 25 03:09:34 cpanel sshd[6499]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Dec 25 03:09:34 cpanel sshd[6497]: Address 61.12.4.252 maps to www.amnetsys.com, but this does not map back to the address -
 
Old 12-25-2006, 03:56 AM   #7
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
I am trying to get a OpenSSH Public Key Authentication running which i am learning still and hopefully that stops this from happening.
 
Old 12-25-2006, 05:08 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680
Use the "AllowUsers" directive in sshd_config. Add only the authorized users. All other users will be denied access. That includes system users that a script kiddie will bang against.

It is a good idea to not allow root logins to ssh as well.
 
Old 12-25-2006, 12:50 PM   #9
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
Can you explain to me how i can do that? Thank You.
 
Old 12-25-2006, 01:56 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
Put the following line in /etc/ssh/sshd_config and restart sshd:
Code:
AllowUsers bob alice charlie
Where "bob", "alice", and "charlie" are the names of the users who actually need to use SSH to log in. Don't actually use bob, alice, etc, put in the names of your accounts that log in.

Once you get public key authentication working, make sure to put:
Code:
PasswordAuthentication no
UsePAM no
in you sshd_config as well (and restart it).

I know that I personally have posted instructions on this board several times for setting up public key authentication and exchanging keys. Just do a search.
 
Old 12-25-2006, 04:23 PM   #11
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
Thank You jschiwal and chort. I found out from my Tech Support that i can add an ip range also that will allow just my ip address and i will do that using your method. As for the public key authentication i don't think i will be using that since they key creating is a big issue since you have to create it on your own machine with linux on there. Thanks Once Again.
 
Old 12-26-2006, 02:20 AM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
Quote:
Originally Posted by punjabipredator
i don't think i will be using that since they key creating is a big issue since you have to create it on your own machine with linux on there. Thanks Once Again.
That's not true. PuTTY is a free set of SSH utilities for Windows that will allow you to create a private/public key pair (puttygen). When you generate a key the top part of the window shows the OpenSSH format of the public key. You can copy that and paste it onto the target Linux box into a file and you save that as ~/.ssh/authorized_keys. Then you can select the private key to use in PuTTY for authentication.
 
Old 12-26-2006, 03:41 AM   #13
edenCC
Member
 
Registered: May 2006
Location: China
Distribution: Debian
Posts: 198
Blog Entries: 1

Rep: Reputation: 32
Change the defult port 22 to a empty port larger than 32767 is soundly a good way to get rid of most of common scanners.
 
Old 12-26-2006, 04:43 AM   #14
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
I asked my support about putty before you mentioned it because i heard from somewhere that it can generate they key and they said the following to me

The key can be generated on a system with Openssh running as you have to use the ssh -keygen to generate the key.You may use a linux machine with Openssh running in it.The key generation cannot be done in putty.

I already have the program on my computer i use it to login into my servers.

Quote:
Originally Posted by chort
That's not true. PuTTY is a free set of SSH utilities for Windows that will allow you to create a private/public key pair (puttygen). When you generate a key the top part of the window shows the OpenSSH format of the public key. You can copy that and paste it onto the target Linux box into a file and you save that as ~/.ssh/authorized_keys. Then you can select the private key to use in PuTTY for authentication.
 
Old 12-26-2006, 04:45 AM   #15
punjabipredator
Member
 
Registered: Dec 2006
Posts: 30

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by edenCC
Change the defult port 22 to a empty port larger than 32767 is soundly a good way to get rid of most of common scanners.
The idea of changing ports is not really that good because the person scans alot of ports and sooner or later he would have found the correct one and then took over the server.

Anyways i think we have resolved this issue my support added TCP Wrapper's on my SSH only allowing my ip address range on there and the rest basically are banned so the server is secure now and i haven't had anyone trying to break in.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How Secure is SSH? AvatarofVirgo Linux - Security 8 08-14-2011 12:37 PM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM
Make SSH more secure namit Linux - Security 5 02-10-2006 09:51 PM
Secure x-forwarding over SSH postrational Linux - Networking 1 02-01-2005 11:04 AM
how to secure ssh chongluo Linux - Security 3 11-04-2004 07:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration