Jump to content
inittux

I have something that kind of worries me

Recommended Posts

I found a log file that kind of worries me, it's not my website log file but /var/log/secure. Is this something to worry about? Looks like someone is trying to break in:

(and I got quite a few more ip's trying to do the same thing or something similar)

 

 

Sep 18 03:46:12 localhost sshd[9004]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:46:41 localhost sshd[9005]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:46:41 localhost sshd[9005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:46:43 localhost sshd[9005]: Failed password for root from 96.44.148.170 port 60604 ssh2

Sep 18 03:46:43 localhost sshd[9006]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:47:11 localhost sshd[9007]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:47:11 localhost sshd[9007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:47:12 localhost sshd[9007]: Failed password for root from 96.44.148.170 port 35961 ssh2

Sep 18 03:47:12 localhost sshd[9008]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:47:41 localhost sshd[9009]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:47:41 localhost sshd[9009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:47:43 localhost sshd[9009]: Failed password for root from 96.44.148.170 port 39572 ssh2

Sep 18 03:47:43 localhost sshd[9010]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:48:12 localhost sshd[9011]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:48:12 localhost sshd[9011]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:48:14 localhost sshd[9011]: Failed password for root from 96.44.148.170 port 43168 ssh2

Sep 18 03:48:14 localhost sshd[9012]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:48:42 localhost sshd[9013]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:48:42 localhost sshd[9013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:48:44 localhost sshd[9013]: Failed password for root from 96.44.148.170 port 46797 ssh2

Sep 18 03:48:44 localhost sshd[9014]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:49:13 localhost sshd[9015]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:49:13 localhost sshd[9015]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:49:14 localhost sshd[9015]: Failed password for root from 96.44.148.170 port 50417 ssh2

Sep 18 03:49:15 localhost sshd[9016]: Received disconnect from 96.44.148.170: 11: Bye Bye

Sep 18 03:49:44 localhost sshd[9017]: Address 96.44.148.170 maps to 96.44.148.170.static.quadranet.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Sep 18 03:49:44 localhost sshd[9017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=96.44.148.170 user=root

Sep 18 03:49:46 localhost sshd[9017]: Failed password for root from 96.44.148.170 port 54091 ssh2

Sep 18 03:49:46 localhost sshd[9018]: Received disconnect from 96.44.148.170: 11: Bye Bye

Share this post


Link to post
Share on other sites

you could set up rate lmiting so after three failed attempts (or so) it's disconnects, also deny root login via ssh, it's a bad idea

Share this post


Link to post
Share on other sites

you could set up rate lmiting so after three failed attempts (or so) it's disconnects, also deny root login via ssh, it's a bad idea

 

Thanks I just disabled it :) Not quite sure how to use that script, have never used a script like that. Do I save it to a file and run it by using ./scriptename.sh ?

Share this post


Link to post
Share on other sites

The other thing I might suggest is to disable logging in with a password altogether and set up a keypair for you to log in. This way, anyone who tries to connect to your SSH won't even be allowed to spend time guessing passwords -- if they don't have a valid keypair (which is much longer than a password, and completely random, so impractical to attempt a bruteforce), they get kicked out of the connection right away. You could take a look at this post. Perhaps another thing to think about. :)

Share this post


Link to post
Share on other sites

I'd also advise moving SSH off port 22 and onto something else (I have used 2222, 10022, 22022, 54322 and 12322 in the past) - it's a simple change of the sshd_config file. This doesn't make SSH any more secure, but just moved it out of the default target that most brute-force attack utilities will attempt.

 

A second option is something that parses the logfiles and takes action when something suspicious is detected - I used PortSentry before (bound to port 22 so almost honeypot a fake SSH port) and now use Fail2Ban. As I recall, you were about to look into getting some IDS installed and running.

 

A last option is to use a firewall rule to lock down the port to a specific whitelisted range. I have done this with a couple of my servers (so as soon as I get onto one of them, I can hop to any other) but this *does* mean gaining access when "out in the field" can be somewhat tricky.

 

The first two combined is what I now use.

 

Oh, and one final point - DISABLE ROOT LOGIN OVER SSH!

Share this post


Link to post
Share on other sites

thanks for all the great advice smile.png I am going to be looking into IDS soon. Still getting mod_security figured out so it works with joomla. I got it installed and configured using the goroot.com wiki. I disabled root ssh login and I changed the ssh port. That will make me worry less, and sounds like a good idea working with a key pair or with whitelists. Will look into that after I get mod_security and IDS running.

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...