What to do with a constant flow of attempts to login to mycompuet?
Aaron Komisar
aaronk at breakt.co.il
Sun Jan 3 17:38:02 IST 2010
Fail2ban scans log files and bans IP addresses that make too many password
failures. It updates firewall rules to reject the IP address.
See: http://www.fail2ban.org/wiki/index.php/Main_Page
Aaron
-----Original Message-----
From: Boaz Rymland [mailto:boaz at rymland.com]
Sent: Sunday, January 03, 2010 5:09 PM
To: linux-il
Subject: Re: What to do with a constant flow of attempts to login to
mycompuet?
To add my list:
* verify there are as least as possible users on the machine. Unused user?
either purge or disable (login shell set to /bin/false or the like; home
dir set to /not/here).
* verify users on machine not have easy to guess password.
* indeed move sshd to listen to its NON default port
* shutdown and remove any unneeded software/services including and
specifically any web applications that are not used.
* keep your installed applications updated and keep an eye on software
updates. I once had an unsuccessful break-in attempt that was trying to
exploit some bug in a webmail application that was not used. The bug was
two weeks old at the time. Both of the break in cases I described were of
my 24/7 home machine I had running for years (but not anymore), not some
high traffic IP address so this is rather common these days.
Boaz.
On Sun, 03 Jan 2010 09:51:05 -0500, Boaz Rymland <boaz at rymland.com> wrote:
> This is so common these days I heard years ago people filtering out such
> messages.
>
> Just check your machine carefully - I once had a break-in that was caused
> from a stupid chain of mistakes: i switched sshd to listen on its default
> port (22) for some time (instead of some arbitrary port as it was used to
> be) + router forwarded 22 connections to the linux machine (as needed for
> SSH to work) + yes, there was a little issue of a test user I once
created,
> named "test" with password "test"... . Violla! a robot sounded the
"bingo!"
> alarm somewhere... . I had to reinstall my machine (which wasn't that
bad,
> but still...).
>
> Lesson? carefully check your machine's "entry points" and as much as you
> can - try not to assume things to be in certain status before checking
that
> (like, "I don't have stupid test users on machines" - check your
configured
> users) as that can fail you. In other words - don't presume anything.
Check
> it, to evaluate your status.
>
> Boaz.
>
> On Sun, 3 Jan 2010 16:34:29 +0200, Gabor Szabo <szabgab at gmail.com> wrote:
>> I just noticed someone bombarding my machine trying to login via ssh.
>>>From auth.log
>>
>> Jan 3 06:31:48 s6 sshd[22774]: Failed password for invalid user
>> amavisd from 202.138.142.216 port 35172 ssh2
>> Jan 3 06:31:48 s6 sshd[22773]: Failed password for invalid user
>> clamav from 202.138.142.216 port 39941 ssh2
>> Jan 3 06:31:49 s6 sshd[22780]: Invalid user clamav from 202.138.142.216
>> Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan 3 06:31:49 s6 sshd[22780]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
>> Jan 3 06:31:49 s6 sshd[22781]: Invalid user appserver from
> 202.138.142.216
>> Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jan 3 06:31:49 s6 sshd[22781]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.138.142.216
>> Jan 3 06:31:52 s6 sshd[22780]: Failed password for invalid user
>> clamav from 202.138.142.216 port 35699 ssh2
>> Jan 3 06:31:52 s6 sshd[22781]: Failed password for invalid user
>> appserver from 202.138.142.216 port 40470 ssh2
>>
>>
>> So what is your suggestion. What to do with it?
>>
>> Gabor
>>
>> _______________________________________________
>> Linux-il mailing list
>> Linux-il at cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
_______________________________________________
Linux-il mailing list
Linux-il at cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
More information about the Linux-il
mailing list