SSH brute force attacks are very common - we get several a week. There
are various methods for stopping them - a summary is in: http://www.security-hacks.com/2007/05/23/protecting-against-ssh-brute-force-attacks I suggest the following: 1. configure ssh to block all users apart from those you define - either define the users or have an sshusers group. Don't put any default accounts in here such as admin, sales, games - these regularly occur on in the brute force attacks. 2. users should not have easy usernames like fred, mary - these are usually on the guessing lists. firstnamesurname increases the options they have to try. From reading the logs of brute force attacks the user names are normally easy guesses based on default accounts or firstnames. 3. User passwords should meet minimum standards of letters, numbers, minsize, other characters. 4. Don't allow root to log in via SSH - root is the most commonly used name for SSH brute force attacks. If you must have root access set up access via an RSA key. If possible get everyone using RSA keys and switch off password logins altogether. 5. Use one of the blocking methods such as iptables rate limiting. They invariably don't come back after being blocked once. You could use the iptables method coupled with one of the log scanning methods for an extra layer of defence. One example is at: http://blog.andrew.net.au/2005/02/16 6. If its convenient switch to a different port - the brute force attackers just scan blocks of IP addresses at port 22 - if you are using port 22 you are much less likely to be scanned. Finally - don't panic - they are looking for easy targets, if you make their life hard they go away. I rarely see the same IP address come back after they have been blocked for a few minutes - they just move on. Kevin. Jochen Schulz wrote: Norman Bird:I decided to check the auth.log and started freaking out because I saw alot of POSSIBLE BREAK-IN lines.It says "possible break-in *attempt*". But either way, it is harmless. And, by the way: do you think a smart attacker who gained root on your machine would leave traces in the logs? I doubt it.then I saw roon loging in so I was panicking.Don't panic. :)But as I really reviewed them it seems that the actual root logins were by CRON and the nobody logins were system related. Please look this over and give any advice and particularily what should I do.You don't need to do anything.Somewhere online said I should "boot with a root kit checker", feel free to advise on this.Root kit checkers, just as anti-virus programs, cannot reliably detect anything. They report false positives as well as false negatives. But the idea to boot from a known good medium is a good one. *If* your system has been attacked successfully, you should never trust it to report it to you. You always have to use another one.I do need to log in via putty via ssh alot so I cant totally disable it. I will beef up my password now and maybe change the port, but I need input on that please, or a good site.Search for a howto on public key authentication. It's well documented and protects your SSH server from all those password brute force attacks.Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user root by (uid=0) Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user root Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user root Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string from 66.212.18.86 Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo for alpha57.wqpax.net failed - POSSIBLE BREAK-IN ATTEMPT! Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.212.18.86 user=root Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from 66.212.18.86 port 41396 ssh2 Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo for alpha57.wqpax.net failed - POSSIBLE BREAK-IN ATTEMPT! rhost=66.212.18.86 then there is this, but it looks system related i think: Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user root Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user root Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user root Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user nobody Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user nobody Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user nobody Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user nobody by (uid=0) Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user nobody Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user root by (uid=0) Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user root Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user root Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user root by (uid=0) Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user root by (uid=0) Is there another log that would show a definate successful breakin? thanks Norm |