Linux-Noob Forums

Full Version: I have something that kind of worries me
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

I found a log file that kind of worries me, it's not my website log file but /var/log/secure. Is this something to worry about? Looks like someone is trying to break in:

(and I got quite a few more ip's trying to do the same thing or something similar)

 

 

Sep 18 03:46:12 localhost sshd[9004]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:46:41 localhost sshd[9005]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:46:41 localhost sshd[9005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:46:43 localhost sshd[9005]: Failed password for root from 96.44.148.170 port 60604 ssh2

Sep 18 03:46:43 localhost sshd[9006]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:47:11 localhost sshd[9007]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:47:11 localhost sshd[9007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:47:12 localhost sshd[9007]: Failed password for root from 96.44.148.170 port 35961 ssh2

Sep 18 03:47:12 localhost sshd[9008]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:47:41 localhost sshd[9009]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:47:41 localhost sshd[9009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:47:43 localhost sshd[9009]: Failed password for root from 96.44.148.170 port 39572 ssh2

Sep 18 03:47:43 localhost sshd[9010]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:48:12 localhost sshd[9011]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:48:12 localhost sshd[9011]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:48:14 localhost sshd[9011]: Failed password for root from 96.44.148.170 port 43168 ssh2

Sep 18 03:48:14 localhost sshd[9012]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:48:42 localhost sshd[9013]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:48:42 localhost sshd[9013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:48:44 localhost sshd[9013]: Failed password for root from 96.44.148.170 port 46797 ssh2

Sep 18 03:48:44 localhost sshd[9014]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:49:13 localhost sshd[9015]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:49:13 localhost sshd[9015]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:49:14 localhost sshd[9015]: Failed password for root from 96.44.148.170 port 50417 ssh2

Sep 18 03:49:15 localhost sshd[9016]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:49:44 localhost sshd[9017]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:49:44 localhost sshd[9017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:49:46 localhost sshd[9017]: Failed password for root from 96.44.148.170 port 54091 ssh2

Sep 18 03:49:46 localhost sshd[9018]: Received disconnect from 96.44.148.170: 11: Bye Bye

you could set up rate lmiting so after three failed attempts (or so) it's disconnects, also deny root login via ssh, it's a bad idea

Quote:you could set up rate lmiting so after three failed attempts (or so) it's disconnects, also deny root login via ssh, it's a bad idea
 

Thanks I just disabled it :)Not quite sure how to use that script, have never used a script like that. Do I save it to a file and run it by using ./scriptename.sh ?

The other thing I might suggest is to disable logging in with a password altogether and set up a keypair for you to log in. This way, anyone who tries to connect to your SSH won't even be allowed to spend time guessing passwords -- if they don't have a valid keypair (which is much longer than a password, and completely random, so impractical to attempt a bruteforce), they get kicked out of the connection right away. You could take a look at this post. Perhaps another thing to think about. :)

I'd also advise moving SSH off port 22 and onto something else (I have used 2222, 10022, 22022, 54322 and 12322 in the past) - it's a simple change of the sshd_config file. This doesn't make SSH any more secure, but just moved it out of the default target that most brute-force attack utilities will attempt.

 

A second option is something that parses the logfiles and takes action when something suspicious is detected - I used PortSentry before (bound to port 22 so almost honeypot a fake SSH port) and now use Fail2Ban. As I recall, you were about to look into getting some IDS installed and running.

 

A last option is to use a firewall rule to lock down the port to a specific whitelisted range. I have done this with a couple of my servers (so as soon as I get onto one of them, I can hop to any other) but this *does* mean gaining access when "out in the field" can be somewhat tricky.

 

The first two combined is what I now use.

 

Oh, and one final point - DISABLE ROOT LOGIN OVER SSH!

thanks for all the great advice :) I am going to be looking into IDS soon. Still getting mod_security figured out so it works with joomla. I got it installed and configured using the goroot.com wiki. I disabled root ssh login and I changed the ssh port. That will make me worry less, and sounds like a good idea working with a key pair or with whitelists. Will look into that after I get mod_security and IDS running.