Chinese hack attempts

w1z4rd

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
52,146
Reaction score
8,340
Location
127.0.0.1
One of my servers is under serious brute force hack attempts from China. Bastards.

My logs are looking something like this:

Code: 
Apr 29 01:46:08 alpha646 sshd[18112]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.2.163.252  user=root
Apr 29 01:46:10 alpha646 sshd[18112]: Failed password for root from 221.2.163.252 port 55247 ssh2
Apr 29 01:46:10 alpha646 sshd[18115]: Received disconnect from 221.2.163.252: 11: Bye Bye
Apr 29 01:46:13 alpha646 sshd[18117]: Invalid user oracle from 221.2.163.252
Apr 29 01:46:13 alpha646 sshd[18121]: input_userauth_request: invalid user oracle
Apr 29 01:46:13 alpha646 sshd[18117]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 01:46:13 alpha646 sshd[18117]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.2.163.252 
Apr 29 01:46:13 alpha646 sshd[18117]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Apr 29 01:46:15 alpha646 sshd[18117]: Failed password for invalid user oracle from 221.2.163.252 port 55565 ssh2
Apr 29 01:46:15 alpha646 sshd[18121]: Received disconnect from 221.2.163.252: 11: Bye Bye
Apr 29 01:46:18 alpha646 sshd[18123]: Invalid user oracle from 221.2.163.252
Apr 29 01:46:18 alpha646 sshd[18126]: input_userauth_request: invalid user oracle
Apr 29 01:46:18 alpha646 sshd[18123]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 01:46:18 alpha646 sshd[18123]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.2.163.252 
Apr 29 01:46:18 alpha646 sshd[18123]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Apr 29 01:46:21 alpha646 sshd[18123]: Failed password for invalid user oracle from 221.2.163.252 port 55906 ssh2
Apr 29 01:46:21 alpha646 sshd[18126]: Received disconnect from 221.2.163.252: 11: Bye Bye
Apr 29 01:46:24 alpha646 sshd[18128]: Invalid user test from 221.2.163.252
Apr 29 01:46:24 alpha646 sshd[18131]: input_userauth_request: invalid user test
Apr 29 01:46:24 alpha646 sshd[18128]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 01:46:24 alpha646 sshd[18128]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.2.163.252 
Apr 29 01:46:24 alpha646 sshd[18128]: pam_succeed_if(sshd:auth): error retrieving information about user test
Apr 29 01:46:26 alpha646 sshd[18128]: Failed password for invalid user test from 221.2.163.252 port 56280 ssh2
Apr 29 01:46:26 alpha646 sshd[18131]: Received disconnect from 221.2.163.252: 11: Bye Bye
Apr 29 01:46:29 alpha646 sshd[18133]: Invalid user test1 from 221.2.163.252
Apr 29 01:46:29 alpha646 sshd[18136]: input_userauth_request: invalid user test1
Apr 29 01:46:29 alpha646 sshd[18133]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 01:46:29 alpha646 sshd[18133]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.2.163.252 
Apr 29 01:46:29 alpha646 sshd[18133]: pam_succeed_if(sshd:auth): error retrieving information about user test1
Apr 29 01:46:31 alpha646 sshd[18133]: Failed password for invalid user test1 from 221.2.163.252 port 56615 ssh2
Apr 29 01:46:31 alpha646 sshd[18136]: Received disconnect from 221.2.163.252: 11: Bye Bye
Apr 29 01:46:34 alpha646 sshd[18138]: Invalid user test2 from 221.2.163.252
Apr 29 01:46:34 alpha646 sshd[18141]: input_userauth_request: invalid user test2
Apr 29 01:46:34 alpha646 sshd[18138]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 01:46:34 alpha646 sshd[18138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.2.163.252 
Apr 29 01:46:34 alpha646 sshd[18138]: pam_succeed_if(sshd:auth): error retrieving information about user test2
Apr 29 01:46:36 alpha646 sshd[18138]: Failed password for invalid user test2 from 221.2.163.252 port 56986 ssh2
Apr 29 01:46:37 alpha646 sshd[18141]: Received disconnect from 221.2.163.252: 11: Bye Bye

Im not sure if this is pretty common, but I think I have an idea of why this is happening. I have a mate in China that I was best friends with at school. To allow him access to Facebook and Twitter I have given him an account on that server to create a ssh tunnel through. Ever since that has happened, my log files have increased something crazy.
 
Does your server have an AutoIP ban for invalid attempts? Let's say the IP attempts 10 invalid attempts and is then banned\blocked?
 
teraside said:
Does your server have an AutoIP ban for invalid attempts? Let's say the IP attempts 10 invalid attempts and is then banned\blocked?
Click to expand...

Nope. I just changed the default ssh port, that should stop 99.999% of this.
 
w1z4rd said:
Nope. I just changed the default ssh port, that should stop 99.999% of this.
Click to expand...

That could work. But if the guy has your IP Address of the Server he can just run a Port Scan and find SSH again.
 
teraside said:
That could work. But if the guy has your IP Address of the Server he can just run a Port Scan and find SSH again.
Click to expand...

Its in a very high range that most port scanners will not scan by default.
 
This is a normal script kiddie attack. I used to get at least 10 attacks like this per day when I used to host our content and mail locally. Even on my current setup that is on a dynamic IP and is just a proxy gets scanned daily.

You can always change your ssh port. But make sure that any user that has ssh access, has 'descent' passwords.

Sent from my Nexus One using MyBroadband Android App
 
denyhosts

Attempts are comming from switzerland, would have been to funny if they originated in Oz :P
I completey forgot about installing denyhosts on ninja
.
. snip snip
.
Apr 29 07:33:40 ninja sshd[4210]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103-74.61-188.cust.bluewin.ch
Apr 29 07:33:40 ninja sshd[4210]: pam_succeed_if(sshd:auth): error retrieving information about user mussa
Apr 29 07:33:43 ninja sshd[4210]: Failed password for invalid user mussa from 188.61.74.103 port 54963 ssh2
Apr 29 07:33:43 ninja sshd[4211]: Received disconnect from 188.61.74.103: 11: Bye Bye
Apr 29 07:33:45 ninja sshd[4375]: Invalid user shubi from 188.61.74.103
Apr 29 07:33:45 ninja sshd[4376]: input_userauth_request: invalid user shubi
Apr 29 07:33:45 ninja sshd[4375]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 07:33:45 ninja sshd[4375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103-74.61-188.cust.bluewin.ch
Apr 29 07:33:45 ninja sshd[4375]: pam_succeed_if(sshd:auth): error retrieving information about user shubi
Apr 29 07:33:47 ninja sshd[4375]: Failed password for invalid user shubi from 188.61.74.103 port 55191 ssh2
Apr 29 07:33:48 ninja sshd[4376]: Received disconnect from 188.61.74.103: 11: Bye Bye
Apr 29 07:33:50 ninja sshd[2111]: Received signal 15; terminating.
Apr 29 07:33:50 ninja sshd[5030]: Invalid user shanyangi from 188.61.74.103
Apr 29 07:33:50 ninja sshd[5031]: input_userauth_request: invalid user shanyangi
Apr 29 07:33:51 ninja sshd[5030]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 07:33:51 ninja sshd[5030]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103-74.61-188.cust.bluewin.ch
Apr 29 07:33:51 ninja sshd[5030]: pam_succeed_if(sshd:auth): error retrieving information about user shanyangi
Apr 29 07:33:53 ninja sshd[5030]: Failed password for invalid user shanyangi from 188.61.74.103 port 55409 ssh2
Apr 29 07:33:53 ninja sshd[5031]: Received disconnect from 188.61.74.103: 11: Bye Bye
 
Private/Public key authentication

Why not look at using key authentication to your servers, and disable root access. That way only the corresponding encryption key will allow log on to the server.

It wont stop the script attempted hacks but it will pretty much ensure your server security doesnt get compromised.

I would also install software to block and failed attempts after 10 attempts.
 
durbandave said:
Why not look at using key authentication to your servers, and disable root access. That way only the corresponding encryption key will allow log on to the server.
Click to expand...

Because multiple people ssh into that server and use it for things like Wow gaming and such. I need root access. Theres a fine line between security and functionality, and these servers need to be functional. I keep them fully patched and updated and the root password is not something you will be able to brute force.
 
w1z4rd said:
Because multiple people ssh into that server and use it for things like Wow gaming and such. I need root access. Theres a fine line between security and functionality, and these servers need to be functional. I keep them fully patched and updated and the root password is not something you will be able to brute force.
Click to expand...

What I meant was disable root login to the box. You can always use the wheel group to assign sudo privileges, but fair enough if many people log into the server then encryption methods probably not the most practical method.
 
probably just kids having fun.
Chinese crackers go for Google, not your linux box.
:D
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X