GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   SSHD brute force attacks ? (https://gfy.com/showthread.php?t=614437)

s9ann0 05-26-2006 07:58 AM
SSHD brute force attacks ?
 
I seem to be seeing a lot of atempts at brute forcing SSHD on my servers:

May 26 09:01:47 hooker sshd[68152]: Failed password for illegal user httpd from 65.205.238.12 port 43865 ssh2
May 26 09:01:47 hooker sshd[68154]: Illegal user arun from 65.205.238.12
May 26 09:01:47 hooker sshd[68154]: Failed password for illegal user arun from 65.205.238.12 port 43911 ssh2
May 26 09:01:47 hooker sshd[68136]: Illegal user chris from 80.122.129.122
May 26 09:01:48 hooker sshd[68136]: Failed password for illegal user chris from 80.122.129.122 port 24320 ssh2
May 26 09:01:48 hooker sshd[68155]: Illegal user bill from 65.205.238.12
May 26 09:01:48 hooker sshd[68155]: Failed password for illegal user bill from 65.205.238.12 port 43936 ssh2
May 26 09:01:48 hooker sshd[68159]: Illegal user dave from 65.205.238.12

anyone else seeing this or am is someone on my case?

pstation 05-26-2006 08:01 AM
nothing unusual

kenny 05-26-2006 08:09 AM
people are always trying to brute force something

fris 05-26-2006 08:10 AM
hah i get them all the time on my server, same with ftp. make sure you have most current up to date ssh, or you are asking for trouble

fris 05-26-2006 08:11 AM
hah i get them all the time on my server, same with ftp. make sure you have most current up to date ssh, or you are asking for trouble

drjones 05-26-2006 08:19 AM
You can use a program like portsentry, wich can be configured to automatically lock out brute force attackers, portscans etc.

directfiesta 05-26-2006 08:56 AM
yesterday was quiet on one of my boxes:

sshd:
Invalid Users:
Unknown Account: 13762 Time(s)

BradM 05-26-2006 09:00 AM
I always change the default ssh port, and lock down the server with a firewall. If you have X, try "firestarter" for linux.

It's very common, but it's super simple to stop.

ServerGenius 05-26-2006 09:08 AM
add this to your iptables firewall

It will block the sshd port if an ip attempts more than 3 times per minute
to login with a bad password.

-N ssh_brute
-A ssh_brute -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A ssh_brute -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
-A ssh_brute -p TCP -j LOG --log-level "WARN" --log-prefix [DROP:RATE_LIMIT]
-A ssh_brute -p TCP -j REJECT
-I INPUT -p TCP -s 0/0 --dport 22 -j ssh_brute

:thumbsup

babsy 05-26-2006 09:16 AM
There's a commonly run SSH brute force program available, it's retardedly simple, it just has a mass of usernames / passwords and it tries them all in succession. Best way to avoid any problems is to use decent passwords. SSH as a protocol is pretty damn solid, so long as you're not still using v1 (which is quite unlikely).

ServerGenius 05-26-2006 09:55 AM
of course the best way is to restrict sshd, ftpd and such to ip addresses.
but this requires a static ip address. If you want to access your machine from
different locations (traveling) use 1 server/computer with VPN as trusted host.

:2 cents:

mrkris 05-26-2006 10:01 AM
I've had 1,200 brute force attacks on sshd on my server in the past week from the same IP. Korean based.

fris 05-27-2006 09:22 AM
Quote:
Originally Posted by ServerGenius
of course the best way is to restrict sshd, ftpd and such to ip addresses.
but this requires a static ip address. If you want to access your machine from
different locations (traveling) use 1 server/computer with VPN as trusted host.

:2 cents:
you can just mask a whole hostname, i just allow it from my dsl provider which is a fairly unused provider where i am.


All times are GMT -7. The time now is 07:44 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123