Re: POSSIBLE BREAK-IN in auth.log via ssh

To: debian-user@lists.debian.org
Subject: Re: POSSIBLE BREAK-IN in auth.log via ssh
From: Kevin Philp <lists@cybercolloids.net>
Date: Thu, 12 Feb 2009 11:23:56 +0000
Message-id: <[🔎] 499406CC.3090607@cybercolloids.net>
In-reply-to: <[🔎] 20090212085516.GN8868@wasteland.homelinux.net>
References: <[🔎] 8f0417560902112157r25a05ec6taefd638b6f35018e@mail.gmail.com> <[🔎] 20090212085516.GN8868@wasteland.homelinux.net>

SSH brute force attacks are very common - we get several a week. There are various methods for stopping them - a summary is in:

http://www.security-hacks.com/2007/05/23/protecting-against-ssh-brute-force-attacks

I suggest the following:

1. configure ssh to block all users apart from those you define - either define the users or have an sshusers group. Don't put any default accounts in here such as admin, sales, games - these regularly occur on in the brute force attacks.

2. users should not have easy usernames like fred, mary - these are usually on the guessing lists. firstnamesurname increases the options they have to try. From reading the logs of brute force attacks the user names are normally easy guesses based on default accounts or firstnames.

3. User passwords should meet minimum standards of letters, numbers, minsize, other characters.

4. Don't allow root to log in via SSH - root is the most commonly used name for SSH brute force attacks. If you must have root access set up access via an RSA key. If possible get everyone using RSA keys and switch off password logins altogether.

5. Use one of the blocking methods such as iptables rate limiting. They invariably don't come back after being blocked once. You could use the iptables method coupled with one of the log scanning methods for an extra layer of defence.

One example is at:

http://blog.andrew.net.au/2005/02/16

6. If its convenient switch to a different port - the brute force attackers just scan blocks of IP addresses at port 22 - if you are using port 22 you are much less likely to be scanned.

Finally - don't panic - they are looking for easy targets, if you make their life hard they go away. I rarely see the same IP address come back after they have been blocked for a few minutes - they just move on.

Kevin.

Jochen Schulz wrote:

Norman Bird:

I decided to check the auth.log and started freaking out because I saw alot
of POSSIBLE BREAK-IN lines.

It says "possible break-in *attempt*". But either way, it is harmless.

And, by the way: do you think a smart attacker who gained root on your
machine would leave traces in the logs? I doubt it.

then I saw roon loging in so I was panicking.

Don't panic. :)

But as I really reviewed them it seems that the actual root logins were by
CRON and the nobody logins were system related. Please look this over and
give any advice and particularily what should I do.

You don't need to do anything.

Somewhere online said I should "boot with a root kit checker", feel free to
advise on this.

Root kit checkers, just as anti-virus programs, cannot reliably detect
anything. They report false positives as well as false negatives. But
the idea to boot from a known good medium is a good one. *If* your
system has been attacked successfully, you should never trust it to
report it to you. You always have to use another one.

I do need to log in via putty via ssh alot so I cant totally disable it. I
will beef up my password now and maybe change the port, but I need input on
that please, or a good site.

Search for a howto on public key authentication. It's well documented
and protects your SSH server from all those password brute force
attacks.

Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 03:39:01 localhost CRON[29603]: (pam_unix) session closed for user
root
Feb 11 03:39:01 localhost CRON[29601]: (pam_unix) session closed for user
root
Feb 11 03:53:33 localhost sshd[29969]: Did not receive identification string
from 66.212.18.86
Feb 11 03:55:20 localhost sshd[30015]: reverse mapping checking getaddrinfo
for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT!
Feb 11 03:55:20 localhost sshd[30015]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=66.212.18.86  user=root
Feb 11 03:55:22 localhost sshd[30015]: Failed password for root from
66.212.18.86 port 41396 ssh2
Feb 11 03:55:23 localhost sshd[30019]: reverse mapping checking getaddrinfo
for alpha57.wqpax.net failed - POSSIBLE BREAK-IN
ATTEMPT! rhost=66.212.18.86


then there is this, but it looks system related i think:


Feb 11 07:09:01 localhost CRON[3127]: (pam_unix) session closed for user
root
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:17:01 localhost CRON[3368]: (pam_unix) session closed for user
root
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:30:01 localhost CRON[3710]: (pam_unix) session closed for user
root
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:33:01 localhost CRON[3807]: (pam_unix) session closed for user
nobody
Feb 11 07:35:05 localhost su[3921]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3921]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:35:05 localhost su[3921]: (pam_unix) session closed for user
nobody
Feb 11 07:35:05 localhost su[3924]: Successful su for nobody by root
Feb 11 07:35:05 localhost su[3924]: + ??? root:nobody
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:35:05 localhost su[3924]: (pam_unix) session closed for user
nobody
Feb 11 07:35:06 localhost su[3926]: Successful su for nobody by root
Feb 11 07:35:06 localhost su[3926]: + ??? root:nobody
Feb 11 07:35:06 localhost su[3926]: (pam_unix) session opened for user
nobody by (uid=0)
Feb 11 07:36:26 localhost su[3926]: (pam_unix) session closed for user
nobody
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 07:39:01 localhost CRON[4143]: (pam_unix) session closed for user
root
Feb 11 07:39:01 localhost CRON[4141]: (pam_unix) session closed for user
root
Feb 11 08:09:01 localhost CRON[4883]: (pam_unix) session opened for user
root by (uid=0)
Feb 11 08:09:01 localhost CRON[4885]: (pam_unix) session opened for user
root by (uid=0)

Is there another log that would show a definate successful breakin?

thanks

Norm

Reply to:

Follow-Ups:
- Re: POSSIBLE BREAK-IN in auth.log via ssh
  - From: Nate Bargmann <n0nb@n0nb.us>

References:
- POSSIBLE BREAK-IN in auth.log via ssh
  - From: Norman Bird <steelpulsefan@gmail.com>
- Re: POSSIBLE BREAK-IN in auth.log via ssh
  - From: Jochen Schulz <ml@well-adjusted.de>

Prev by Date: Strange keyboard lag
Next by Date: Re: converting ms word files
Previous by thread: Re: POSSIBLE BREAK-IN in auth.log via ssh
Next by thread: Re: POSSIBLE BREAK-IN in auth.log via ssh
Index(es):
- Date
- Thread