On Tue, Oct 09, 2007 at 02:18:28PM +0000, T o n g wrote: > [The is a security configuration question. Let me try it here to see if I > can some valuable inputs before heading to newsgroup] > > Hi, > > I used to turn on my sshd just in case that I need to ssh back into my > box. But recently, I noticed that whenever I turn it on, almost instantly, > there will be a cracker attempting cracking into my sshd: > > $ tail -15 /var/log/auth.log > Oct 6 10:52:05 cxmr sshd[7374]: Invalid user deutch from 220.229.57.152 > Oct 6 10:52:05 cxmr sshd[7374]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! > Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) check pass; user unknown > Oct 6 10:52:05 cxmr sshd[7374]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 > Oct 6 10:52:07 cxmr sshd[7374]: Failed password for invalid user deutch from 220.229.57.152 port 46369 ssh2 > Oct 6 10:52:10 cxmr sshd[7379]: Invalid user german from 220.229.57.152 > Oct 6 10:52:10 cxmr sshd[7379]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! > Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) check pass; user unknown > Oct 6 10:52:10 cxmr sshd[7379]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 > Oct 6 10:52:12 cxmr sshd[7379]: Failed password for invalid user german from 220.229.57.152 port 46536 ssh2 > Oct 6 10:52:20 cxmr sshd[7384]: Invalid user hitler from 220.229.57.152 > Oct 6 10:52:20 cxmr sshd[7384]: Address 220.229.57.152 maps to adsl-220-229-57-152.kh.sparqnet.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! > Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) check pass; user unknown > Oct 6 10:52:20 cxmr sshd[7384]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.229.57.152 > Oct 6 10:52:22 cxmr sshd[7384]: Failed password for invalid user hitler from 220.229.57.152 port 46858 ssh2 > > What's your recommendation to such situation? keyauthentication and iptables iptables -t filter -A INPUT -i <INTERNET IF> -p tcp --dport 22 -j SSH # If there have not been 4 NEW connection attempts from this source IP address # in the last 60 secons let's return to the INPUT chain. iptables -t filter -A SSH -m recent --set --name SSH iptables -t filter -A SSH -m recent --name SSH ! --rcheck --seconds 60 --hitcount 4 -j RETURN # Well, the NEW connection has been seen so let's update the SSH recent list. iptables -t filter -A SSH -m recent --name SSH --update # I like to log on a line by it's self so I don't have to remember to do it on # my last line prior to the end of my script. iptables -t filter -A SSH -j ULOG --ulog-nlgroup 1 --ulog-prefix 'sydrt01 S ' --ulog-cprange 0 --ulog-qthreshold 1 iptables -t filter -A SSH -j DROP I allow 4 attempts from an IP address in 60 seconds otherwhise the ip gets logged and dropped. But I also use openvpn for when I need lots of connections > > PS. > > 1. I used to track down their ISP and complain about the cracking attempts, > but nobody seems to be listening to me, and there has never been any > responses. > > 2. I think the (default Debian) sshd configuration should be changed. Even > when someone attempts cracking by typing in user names and passwords > manually in front of tty will be penalized. But I've notice my sshd joyfully > allows thousands of cracking attempts within minutes. This is rather silly, > or incompetent. > > Please comment. > > thanks > > > -- > Tong (remove underscore(s) to reply) > http://xpt.sourceforge.net/techdocs/ > http://xpt.sourceforge.net/tools/ > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > >
Attachment:
signature.asc
Description: Digital signature