Re: On defense of the sshd crackers
2007/10/9, T o n g <mlist4suntong@yahoo.com>:
> [The is a security configuration question. Let me try it here to see if I
> can some valuable inputs before heading to newsgroup]
>
> Hi,
>
> I used to turn on my sshd just in case that I need to ssh back into my
> box. But recently, I noticed that whenever I turn it on, almost instantly,
> there will be a cracker attempting cracking into my sshd:
>
> $ tail -15 /var/log/auth.log
> Oct 6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152
> Oct 6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown
> Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
> Oct 6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch from 220.229.57.152 port 46369 ssh2
> Oct 6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152
> Oct 6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown
> Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
> Oct 6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german from 220.229.57.152 port 46536 ssh2
> Oct 6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152
> Oct 6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown
> Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152
> Oct 6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler from 220.229.57.152 port 46858 ssh2
>
> What's your recommendation to such situation?
>
> PS.
>
> 1. I used to track down their ISP and complain about the cracking attempts,
> but nobody seems to be listening to me, and there has never been any
> responses.
>
> 2. I think the (default Debian) sshd configuration should be changed. Even
> when someone attempts cracking by typing in user names and passwords
> manually in front of tty will be penalized. But I've notice my sshd joyfully
> allows thousands of cracking attempts within minutes. This is rather silly,
> or incompetent.
>
> Please comment.
>
> thanks
Hello,
you can install denyhosts:
$ apt-cache search denyhosts
denyhosts - an utility to help sys admins thwart ssh hackers
or you can change the default ssh port.
Best regards,
Sergio Cuellar
Reply to: