Possible break-in attempt

Discussion in 'Installation/Configuration' started by Boon-Dog-Danny, Apr 16, 2009.

  1. Boon-Dog-Danny

    Boon-Dog-Danny New Member

    Hello all..

    Hope everyone is having a great day.. so My trouble is as you see below I have a dictionary attack going using my sshd..?? this was in my auth.log

    How do I block this..any ideas? I tried blocking the ip's but that dont seem to work..

    thanks in advance for any ideas or solutions.




    Apr 16 11:16:53 dog sshd[31006]: Address 85.92.139.168 maps to ns0.transip.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
    Apr 16 11:17:01 dog CRON[31010]: (pam_unix) session opened for user root by (uid=0)
    Apr 16 11:17:01 dog CRON[31010]: (pam_unix) session closed for user root
    Apr 16 11:18:08 dog sshd[31030]: Invalid user bian from 66.154.96.184
    Apr 16 11:22:29 dog sshd[31093]: Invalid user bian from 201.34.164.34
    Apr 16 11:23:49 dog sshd[31112]: Invalid user biana from 218.241.164.34
    Apr 16 11:26:04 dog sshd[31181]: Invalid user biana from 91.205.75.82
    Apr 16 11:26:04 dog sshd[31181]: reverse mapping checking getaddrinfo for ip-91-205-75-82.iwacom.net.pl failed - POSSIBLE BREAK-IN ATTEMPT!
    Apr 16 11:26:05 dog sshd[31180]: Invalid user staff from 88.51.167.162
     
  2. marcob

    marcob New Member

    fail2ban

    Also I suggest you to permit ssh access only to specific IP, not to everyone.
     
  3. Ben

    Ben ISPConfig Developer ISPConfig Developer

    As the first line of the log explains, those possible break in attempts the best. looking up the ip to dns and vice versa does not end up with the same result and thus it is not consistent and could be considered as try to break in the machine.

    Next to fail2ban I'd just move the sshd to listen to a different port than 22. Since several years I could not detect any brute forces against my sshd although it'd be easy to find out when doing a short port scan with e.g. nmap.
     
  4. Boon-Dog-Danny

    Boon-Dog-Danny New Member

    thank you

    Thanks guys.. I installed that..

    Ben you said "I'd just move the sshd to listen to a different port than 22"

    this is what I would like to do.. How do I do this? know where the setting is?
     
  5. edge

    edge Active Member Moderator

    The port(s) for SSHD are set in the file sshd_config. This file can be found in the directory: /etc/ssh/

    Make sure that (1) the new port that you are going to use is open in your firewall, and (2) that you restart sshd when done.
     
  6. Boon-Dog-Danny

    Boon-Dog-Danny New Member

    one other

    Marcob suggested "Also I suggest you to permit ssh access only to specific IP, not to everyone. "

    how do I do this?
     
  7. falko

    falko Super Moderator ISPConfig Developer

    You can do this with /etc/hosts.deny and /etc/hosts.allow.
     
  8. Boon-Dog-Danny

    Boon-Dog-Danny New Member

    oh great

    fixed the firewall
     
    Last edited: Apr 19, 2009
  9. Boon-Dog-Danny

    Boon-Dog-Danny New Member

    joke

    I dont understand how I only allow it from my ip but I got the port changed and tada no more bs.. I did not understand I had to create a new firewall rule.. D'ho

    thanks all
     
    Last edited: Apr 19, 2009

Share This Page