[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Continuous brute force attempt from own server !!!

On Fri, Jul 26, 2013 at 3:42 PM, J B <bakshi12@gmail.com> wrote:
Dear list,

I'm suffering with a very serious issue and seek guidance.

I have a debian server functional at my place which is attached with a leased line connection.
Iand I use this box as a gateway.

Any other firewall or gateway that you administer in between?
 
This debian box administer a remote opensuse linux server through this debian box and I use pubkey auth
mechanism to log into the remote linux server.

Does your mechanism involve an approach by which you would use non-standard ports to connect? (My memory brings up an example called "port knocking", but that would not be the only possibility.)
 
At the remote linux server, I can found huge

What do you mean by huge? Hundreds of log-in attempts? Many more logins than you remember having made, at times you didn't make them?
 
brute force ssh attempt at the different
port and surprisingly the attempt is made with the same username which I actually use
to llog into the remote box. Some of the messages from log are as below

```````````````````````````````
accepted public key from <username_of_my_local_box> from <WAN_IP_of_my_local_box> port 50574 ssh2
```````````````````````````

I'm not sure I'd call that an attempt, as others have noted
 
The attack is random with a serially increment at port number.

That kind of sounds kind of like port scanning, although most port scanning tools do not actually pass credentials.
 
If I bloack the ssh connection limit through firewall at the remote box, It actually blocks me to log into in further.

I think it would be a surprise if it didn't.
 
Could any one suggest what is happening in my local box ?

As others have mentioned, have you checked for regular, scheduled processes, such as a backup using rsync? Or a user process checking mail over ssh?
 
rootkit ? local box compromising ?

Those are possibilities, too.
 
What is it ?

Good question. What have you found so far?

Have you inserted a logging firewall between the leased line and the local box, and/or enabled a logging firewall on the local box? A physical firewall can tell you whether the connections are being spoofed, for instance. It can also give you times to check on the local box. The local box may have a compromised firewall, but if the firewall on the local box catches the outgoing connection, you should be able to get information on the local process initiating the connection.

The only person who can figure out what it is is you or whoever has admin responsibility for that local box. All we can do here is make half-baked guesses.

--
Joel Rees
Reply to: