Re: Possible hack attempt?

To: debian-user@lists.debian.org
Subject: Re: Possible hack attempt?
From: Bob Hutchinson <hutchlists@midwales.com>
Date: Sun, 4 Dec 2005 14:21:47 +0000
Message-id: <[🔎] 200512041421.47280.hutchlists@midwales.com>
In-reply-to: <[🔎] 4392AEF8.5020806@amfes.com>
References: <[🔎] 4392AEF8.5020806@amfes.com>

On Sunday 04 Dec 2005 08:55, Daniel L. Miller wrote:
> I just happened, for GP, to check my auth.log file on my firewall.  I
> found a lengthy listing that appears to be a dictionary attack against
> me.  Can someone tell me what I'm dealing with here?
>
> My firewall is Debian GNU/Linux 2.6 SID, with a firehol generated
> iptables fireall, OpenVPN, and sshd.  I'm connecting to the VPN from
> remote sites via Windows clients running OpenVPN and Putty.

If your users have fixed IP addresses, get them to generate public/private 
keys (puttygen or somesuch), put the public keys on the firewall in their 
home dirs, eg /home/user/.ssh/authorized_keys. See man ssh-keygen on details 
on how to convert the pubkeys to Openssh format.

Then you can switch off passwords altogether.

If that is not possible then you can investigate connection rate limiting on 
the firewall. Make sure that you declare a rule allowing admin (yourself and 
anyone else with a fixed ip put in the rule) *before* any rate limiting rule 
for port 22. It acts a bit like a tarpit, and I have seen that reduce 
attempts from 5-6 a day to 3-4 per week.

Finally, you can put the attackers IPs into /etc/hosts.deny, but this might be 
unsatisfactory as they are almost certainly using dynamic IPs and you will 
have to parse your logs frequently.

>
> auth.log:
> <snip>
> Dec  4 00:49:53 foxy sshd[28704]: Illegal user amber from
> ::ffff:83.245.39.2 Dec  4 00:49:53 foxy sshd[28704]: error: Could not get
> shadow
> information for NOUSER
> Dec  4 00:49:53 foxy sshd[28704]: Failed password for illegal user amber
> from ::ffff:83.245.39.2 port 48875 ssh2
> Dec  4 00:49:54 foxy sshd[28706]: Illegal user amber from
> ::ffff:83.245.39.2 Dec  4 00:49:54 foxy sshd[28706]: error: Could not get
> shadow
> information for NOUSER
> Dec  4 00:49:54 foxy sshd[28706]: Failed password for illegal user amber
> from ::ffff:83.245.39.2 port 48923 ssh2
> Dec  4 00:49:56 foxy sshd[28708]: Illegal user amy from ::ffff:83.245.39.2
> Dec  4 00:49:56 foxy sshd[28708]: error: Could not get shadow
> information for NOUSER
> Dec  4 00:49:56 foxy sshd[28708]: Failed password for illegal user amy
> from ::ffff:83.245.39.2 port 48977 ssh2
> Dec  4 00:49:57 foxy sshd[28710]: Illegal user amy from ::ffff:83.245.39.2
> Dec  4 00:49:57 foxy sshd[28710]: error: Could not get shadow
> information for NOUSER
> Dec  4 00:49:57 foxy sshd[28710]: Failed password for illegal user amy
> from ::ffff:83.245.39.2 port 49029 ssh2
> Dec  4 00:49:59 foxy sshd[28713]: Illegal user anastacia from
>
> ::ffff:83.245.39.2
>
> Dec  4 00:49:59 foxy sshd[28713]: error: Could not get shadow
> information for NOUSER
> Dec  4 00:49:59 foxy sshd[28713]: Failed password for illegal user
> anastacia from ::ffff:83.245.39.2 port 49086 ssh2
> Dec  4 00:50:00 foxy sshd[28715]: Illegal user anastacia from
>
> ::ffff:83.245.39.2
>
> Dec  4 00:50:00 foxy sshd[28715]: error: Could not get shadow
> information for NOUSER
> Dec  4 00:50:00 foxy sshd[28715]: Failed password for illegal user
> anastacia from ::ffff:83.245.39.2 port 49138 ssh2
> <snip>
>
> Daniel

-- 
-----------------
Bob Hutchinson
Midwales dot com
-----------------

Reply to:

References:
- Possible hack attempt?
  - From: "Daniel L. Miller" <dmiller@amfes.com>

Prev by Date: Re: openoffice cannot find java...
Next by Date: Re: thunderbird
Previous by thread: Re: Possible hack attempt?
Next by thread: Re: Possible hack attempt?
Index(es):
- Date
- Thread