#1  
Old 16th April 2009, 20:31
Boon-Dog-Danny Boon-Dog-Danny is offline
Member
 
Join Date: Jul 2006
Posts: 97
Thanks: 11
Thanked 1 Time in 1 Post
Cool Possible break-in attempt

Hello all..

Hope everyone is having a great day.. so My trouble is as you see below I have a dictionary attack going using my sshd..?? this was in my auth.log

How do I block this..any ideas? I tried blocking the ip's but that dont seem to work..

thanks in advance for any ideas or solutions.




Apr 16 11:16:53 dog sshd[31006]: Address 85.92.139.168 maps to ns0.transip.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Apr 16 11:17:01 dog CRON[31010]: (pam_unix) session opened for user root by (uid=0)
Apr 16 11:17:01 dog CRON[31010]: (pam_unix) session closed for user root
Apr 16 11:18:08 dog sshd[31030]: Invalid user bian from 66.154.96.184
Apr 16 11:22:29 dog sshd[31093]: Invalid user bian from 201.34.164.34
Apr 16 11:23:49 dog sshd[31112]: Invalid user biana from 218.241.164.34
Apr 16 11:26:04 dog sshd[31181]: Invalid user biana from 91.205.75.82
Apr 16 11:26:04 dog sshd[31181]: reverse mapping checking getaddrinfo for ip-91-205-75-82.iwacom.net.pl failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 16 11:26:05 dog sshd[31180]: Invalid user staff from 88.51.167.162
__________________
Debian(rocks) + Ispconfig 3.0.3


Boon-Inc.com Great Video
Boon-File.com Create flash text
Boon-Host.com Get great FREE games here
Boon-Dog.com glitter text makers,music and more
Reply With Quote
Sponsored Links
  #2  
Old 17th April 2009, 00:45
marcob marcob is offline
Member
 
Join Date: Nov 2008
Posts: 34
Thanks: 0
Thanked 1 Time in 1 Post
Default

fail2ban

Also I suggest you to permit ssh access only to specific IP, not to everyone.
Reply With Quote
The Following User Says Thank You to marcob For This Useful Post:
Boon-Dog-Danny (18th April 2009)
  #3  
Old 17th April 2009, 09:02
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

As the first line of the log explains, those possible break in attempts the best. looking up the ip to dns and vice versa does not end up with the same result and thus it is not consistent and could be considered as try to break in the machine.

Next to fail2ban I'd just move the sshd to listen to a different port than 22. Since several years I could not detect any brute forces against my sshd although it'd be easy to find out when doing a short port scan with e.g. nmap.
Reply With Quote
The Following User Says Thank You to Ben For This Useful Post:
Boon-Dog-Danny (18th April 2009)
  #4  
Old 18th April 2009, 03:43
Boon-Dog-Danny Boon-Dog-Danny is offline
Member
 
Join Date: Jul 2006
Posts: 97
Thanks: 11
Thanked 1 Time in 1 Post
Default thank you

Thanks guys.. I installed that..

Ben you said "I'd just move the sshd to listen to a different port than 22"

this is what I would like to do.. How do I do this? know where the setting is?
__________________
Debian(rocks) + Ispconfig 3.0.3


Boon-Inc.com Great Video
Boon-File.com Create flash text
Boon-Host.com Get great FREE games here
Boon-Dog.com glitter text makers,music and more
Reply With Quote
  #5  
Old 18th April 2009, 08:25
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

Quote:
Originally Posted by Boon-Dog-Danny View Post
Thanks guys.. I installed that..

Ben you said "I'd just move the sshd to listen to a different port than 22"

this is what I would like to do.. How do I do this? know where the setting is?
The port(s) for SSHD are set in the file sshd_config. This file can be found in the directory: /etc/ssh/

Make sure that (1) the new port that you are going to use is open in your firewall, and (2) that you restart sshd when done.
Reply With Quote
The Following User Says Thank You to edge For This Useful Post:
Boon-Dog-Danny (18th April 2009)
  #6  
Old 18th April 2009, 15:56
Boon-Dog-Danny Boon-Dog-Danny is offline
Member
 
Join Date: Jul 2006
Posts: 97
Thanks: 11
Thanked 1 Time in 1 Post
Default one other

Marcob suggested "Also I suggest you to permit ssh access only to specific IP, not to everyone. "

how do I do this?
__________________
Debian(rocks) + Ispconfig 3.0.3


Boon-Inc.com Great Video
Boon-File.com Create flash text
Boon-Host.com Get great FREE games here
Boon-Dog.com glitter text makers,music and more
Reply With Quote
  #7  
Old 18th April 2009, 16:20
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

You can do this with /etc/hosts.deny and /etc/hosts.allow.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 18th April 2009, 22:25
Boon-Dog-Danny Boon-Dog-Danny is offline
Member
 
Join Date: Jul 2006
Posts: 97
Thanks: 11
Thanked 1 Time in 1 Post
Default oh great

fixed the firewall
__________________
Debian(rocks) + Ispconfig 3.0.3


Boon-Inc.com Great Video
Boon-File.com Create flash text
Boon-Host.com Get great FREE games here
Boon-Dog.com glitter text makers,music and more

Last edited by Boon-Dog-Danny; 19th April 2009 at 06:04. Reason: fixed
Reply With Quote
  #9  
Old 18th April 2009, 22:56
Boon-Dog-Danny Boon-Dog-Danny is offline
Member
 
Join Date: Jul 2006
Posts: 97
Thanks: 11
Thanked 1 Time in 1 Post
 
Default joke

I dont understand how I only allow it from my ip but I got the port changed and tada no more bs.. I did not understand I had to create a new firewall rule.. D'ho

thanks all
__________________
Debian(rocks) + Ispconfig 3.0.3


Boon-Inc.com Great Video
Boon-File.com Create flash text
Boon-Host.com Get great FREE games here
Boon-Dog.com glitter text makers,music and more

Last edited by Boon-Dog-Danny; 19th April 2009 at 06:05. Reason: fixed
Reply With Quote
Reply

Bookmarks

Tags
auth.log breakin attempt

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
kernel compile error/ndiswrapper error Droogie Kernel Questions 1 28th April 2008 21:38
"aliasing" users - what can I break? sjau Server Operation 3 7th April 2008 17:46
Hacking attempt? Musty Server Operation 6 18th March 2008 02:23
Constant Error: "[client 127.0.0.1] Attempt to serve directory: /var/www/html/" bpmee Server Operation 2 11th December 2006 16:15
Prevent BREAKIN ATTEMPT! IKShadow Installation/Configuration 6 22nd November 2006 22:15


All times are GMT +2. The time now is 09:41.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.