SSHD brute force attacks ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • s9ann0
    Confirmed User
    • Sep 2001
    • 4873

    #1

    SSHD brute force attacks ?

    I seem to be seeing a lot of atempts at brute forcing SSHD on my servers:

    May 26 09:01:47 hooker sshd[68152]: Failed password for illegal user httpd from 65.205.238.12 port 43865 ssh2
    May 26 09:01:47 hooker sshd[68154]: Illegal user arun from 65.205.238.12
    May 26 09:01:47 hooker sshd[68154]: Failed password for illegal user arun from 65.205.238.12 port 43911 ssh2
    May 26 09:01:47 hooker sshd[68136]: Illegal user chris from 80.122.129.122
    May 26 09:01:48 hooker sshd[68136]: Failed password for illegal user chris from 80.122.129.122 port 24320 ssh2
    May 26 09:01:48 hooker sshd[68155]: Illegal user bill from 65.205.238.12
    May 26 09:01:48 hooker sshd[68155]: Failed password for illegal user bill from 65.205.238.12 port 43936 ssh2
    May 26 09:01:48 hooker sshd[68159]: Illegal user dave from 65.205.238.12

    anyone else seeing this or am is someone on my case?
  • pstation
    Confirmed User
    • Jul 2003
    • 1135

    #2
    nothing unusual

    Comment

    • kenny
      Confirmed User
      • Mar 2002
      • 7245

      #3
      people are always trying to brute force something
      7

      Comment

      • fris
        Too lazy to set a custom title
        • Aug 2002
        • 55679

        #4
        hah i get them all the time on my server, same with ftp. make sure you have most current up to date ssh, or you are asking for trouble
        Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

        Comment

        • fris
          Too lazy to set a custom title
          • Aug 2002
          • 55679

          #5
          hah i get them all the time on my server, same with ftp. make sure you have most current up to date ssh, or you are asking for trouble
          Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

          Comment

          • drjones
            Confirmed User
            • Oct 2005
            • 908

            #6
            You can use a program like portsentry, wich can be configured to automatically lock out brute force attackers, portscans etc.
            ICQ: 284903372

            Comment

            • directfiesta
              Too lazy to set a custom title
              • Oct 2002
              • 30135

              #7
              yesterday was quiet on one of my boxes:

              sshd:
              Invalid Users:
              Unknown Account: 13762 Time(s)
              I know that Asspimple is stoopid ... As he says, it is a FACT !

              But I can't figure out how he can breathe or type , at the same time ....

              Comment

              • BradM
                Confirmed User
                • Dec 2003
                • 3397

                #8
                I always change the default ssh port, and lock down the server with a firewall. If you have X, try "firestarter" for linux.

                It's very common, but it's super simple to stop.

                Comment

                • ServerGenius
                  Confirmed User
                  • Feb 2002
                  • 9377

                  #9
                  add this to your iptables firewall

                  It will block the sshd port if an ip attempts more than 3 times per minute
                  to login with a bad password.

                  -N ssh_brute
                  -A ssh_brute -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
                  -A ssh_brute -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
                  -A ssh_brute -p TCP -j LOG --log-level "WARN" --log-prefix [DROP:RATE_LIMIT]
                  -A ssh_brute -p TCP -j REJECT
                  -I INPUT -p TCP -s 0/0 --dport 22 -j ssh_brute

                  | http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

                  Comment

                  • babsy
                    Confirmed User
                    • Mar 2006
                    • 282

                    #10
                    There's a commonly run SSH brute force program available, it's retardedly simple, it just has a mass of usernames / passwords and it tries them all in succession. Best way to avoid any problems is to use decent passwords. SSH as a protocol is pretty damn solid, so long as you're not still using v1 (which is quite unlikely).

                    CASH APARTMENT V2 IS HERE!
                    NATS POWERED, 60-70% ON ALL REBILLS, FREE CONTENT, MGPS, FHGS, RETAINING MEMBERS NETWORK!
                    A SIMPLE NO B.S PROGRAM - ICQ 239 806 698

                    Comment

                    • ServerGenius
                      Confirmed User
                      • Feb 2002
                      • 9377

                      #11
                      of course the best way is to restrict sshd, ftpd and such to ip addresses.
                      but this requires a static ip address. If you want to access your machine from
                      different locations (traveling) use 1 server/computer with VPN as trusted host.

                      | http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

                      Comment

                      • mrkris
                        Confirmed User
                        • May 2005
                        • 2737

                        #12
                        I've had 1,200 brute force attacks on sshd on my server in the past week from the same IP. Korean based.

                        PHP-MySQL-Rails | ICQ: 342500546

                        Comment

                        • fris
                          Too lazy to set a custom title
                          • Aug 2002
                          • 55679

                          #13
                          Originally posted by ServerGenius
                          of course the best way is to restrict sshd, ftpd and such to ip addresses.
                          but this requires a static ip address. If you want to access your machine from
                          different locations (traveling) use 1 server/computer with VPN as trusted host.

                          you can just mask a whole hostname, i just allow it from my dsl provider which is a fairly unused provider where i am.
                          Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                          Comment

                          Working...