Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Unauthorized sshd connection attempts - Security problem?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
Gruenwald
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2005
Posts: 101

PostPosted: Thu Jun 09, 2005 10:28 am    Post subject: Unauthorized sshd connection attempts - Security problem? Reply with quote

When I check my system logs, I am finding many lines relating to sshd and unoathorized attempts to connect as follows:
Code:
Jun  9 04:21:55 gruenwald sshd[31772]: Did not receive identification string from ::ffff:210.118.193.95
Jun  9 04:27:12 gruenwald sshd[31823]: Invalid user 0002593w from ::ffff:210.118.193.95
Jun  9 04:27:13 gruenwald sshd[31825]: Invalid user 511 from ::ffff:210.118.193.95
Jun  9 04:27:15 gruenwald sshd[31827]: Invalid user Account from ::ffff:210.118.193.95
Jun  9 04:27:17 gruenwald sshd[31829]: Invalid user Barrera from ::ffff:210.118.193.95
Jun  9 04:27:19 gruenwald sshd[31831]: Invalid user Castro from ::ffff:210.118.193.95
Jun  9 04:27:20 gruenwald sshd[31833]: Invalid user Castromonte from ::ffff:210.118.193.95
Jun  9 04:27:22 gruenwald sshd[31835]: Invalid user Dahlan from ::ffff:210.118.193.95
Jun  9 04:27:24 gruenwald sshd[31837]: Invalid user Dahlan from ::ffff:210.118.193.95
Jun  9 04:27:25 gruenwald sshd[31840]: Invalid user Gurriz from ::ffff:210.118.193.95
Jun  9 04:27:27 gruenwald sshd[31842]: Invalid user IBM from ::ffff:210.118.193.95
Jun  9 04:27:29 gruenwald sshd[31844]: Invalid user Jubilados from ::ffff:210.118.193.95
Jun  9 04:27:31 gruenwald sshd[31846]: Invalid user Manager from ::ffff:210.118.193.95
Jun  9 04:27:32 gruenwald sshd[31848]: Invalid user Marrufo from ::ffff:210.118.193.95
Jun  9 04:27:34 gruenwald sshd[31850]: Invalid user Mondragon from ::ffff:210.118.193.95
Jun  9 04:27:36 gruenwald sshd[31852]: Invalid user NPOrderProcessor from ::ffff:210.118.193.95
Jun  9 04:27:38 gruenwald sshd[31854]: Invalid user Ngadino from ::ffff:210.118.193.95
Jun  9 04:27:39 gruenwald sshd[31856]: Invalid user Owner from ::ffff:210.118.193.95
Jun  9 04:27:41 gruenwald sshd[31858]: Invalid user Perez from ::ffff:210.118.193.95
Jun  9 04:27:43 gruenwald sshd[31860]: Invalid user Program from ::ffff:210.118.193.95
Jun  9 04:27:44 gruenwald sshd[31862]: Invalid user Ramos from ::ffff:210.118.193.95
Jun  9 04:27:46 gruenwald sshd[31864]: Invalid user Romero from ::ffff:210.118.193.95
Jun  9 04:27:48 gruenwald sshd[31866]: Invalid user SSH from ::ffff:210.118.193.95
Jun  9 04:27:50 gruenwald sshd[31868]: Invalid user Server from ::ffff:210.118.193.95
Jun  9 04:27:51 gruenwald sshd[31870]: Invalid user Server from ::ffff:210.118.193.95
Jun  9 04:27:53 gruenwald sshd[31872]: Invalid user Skurzynski from ::ffff:210.118.193.95
Jun  9 04:27:55 gruenwald sshd[31874]: Invalid user User from ::ffff:210.118.193.95
Jun  9 04:27:57 gruenwald sshd[31876]: Invalid user Winter from ::ffff:210.118.193.95
Jun  9 04:27:58 gruenwald sshd[31878]: Invalid user Wong from ::ffff:210.118.193.95
Jun  9 04:28:00 gruenwald sshd[31880]: Invalid user a1775b from ::ffff:210.118.193.95
Jun  9 04:28:02 gruenwald sshd[31882]: Invalid user aaaa from ::ffff:210.118.193.95
Jun  9 04:28:04 gruenwald sshd[31884]: Invalid user aandjstructural from ::ffff:210.118.193.95
Jun  9 04:28:05 gruenwald sshd[31886]: Invalid user aaron from ::ffff:210.118.193.95
Jun  9 04:28:07 gruenwald sshd[31888]: Invalid user aaron from ::ffff:210.118.193.95
Jun  9 04:28:09 gruenwald sshd[31890]: Invalid user aaron2 from ::ffff:210.118.193.95
Jun  9 04:28:10 gruenwald sshd[31892]: Invalid user abaintelkam from ::ffff:210.118.193.95
Jun  9 04:28:12 gruenwald sshd[31894]: Invalid user abe from ::ffff:210.118.193.95
Jun  9 04:28:14 gruenwald sshd[31896]: Invalid user abetterheadofhair from ::ffff:210.118.193.95
Jun  9 04:28:16 gruenwald sshd[31898]: Invalid user abi from ::ffff:210.118.193.95
Jun  9 04:28:17 gruenwald sshd[31900]: Invalid user ac from ::ffff:210.118.193.95
Jun  9 04:28:19 gruenwald sshd[31902]: Invalid user achaer74 from ::ffff:210.118.193.95
Jun  9 04:28:21 gruenwald sshd[31904]: Invalid user achmad from ::ffff:210.118.193.95
Jun  9 04:28:23 gruenwald sshd[31906]: Invalid user adam from ::ffff:210.118.193.95
Jun  9 04:28:24 gruenwald sshd[31908]: Invalid user adam from ::ffff:210.118.193.95
Jun  9 04:28:26 gruenwald sshd[31910]: Invalid user adam from ::ffff:210.118.193.95
Jun  9 04:28:28 gruenwald sshd[31912]: Invalid user addressbook from ::ffff:210.118.193.95
Jun  9 04:28:29 gruenwald sshd[31914]: Invalid user adelosreyes from ::ffff:210.118.193.95
Jun  9 04:28:31 gruenwald sshd[31916]: Invalid user ades from ::ffff:210.118.193.95
Jun  9 04:28:33 gruenwald sshd[31918]: Invalid user adewira from ::ffff:210.118.193.95


I don't know if this is common and innocuous, or if it is a matter for serious concern?

Is there anyone familiar with this who could shed some light on the problem?

Thanks...
Back to top
View user's profile Send private message
kernelsensei
Bodhisattva
Bodhisattva


Joined: 22 Feb 2004
Posts: 5619
Location: Woustviller/Moselle/FRANCE (49.07°N;7.02°E)

PostPosted: Thu Jun 09, 2005 10:37 am    Post subject: Reply with quote

the attacker is trying a bruteforce attack (he tries a lot of usernames and passwords), if your passwords are secure, that's not a problem
_________________
$ ruby -e'puts " .:@BFegiklnorst".unpack("x4ax7aaX6ax5aX15ax4aax6aaX7ax2aX5aX8 \
axaX3ax8aX4ax6aX3aX6ax3ax3aX9ax4ax2aX9axaX6ax3aX2ax4ax3aX4aXaX12ax10aaX7a").join'
Back to top
View user's profile Send private message
Gruenwald
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2005
Posts: 101

PostPosted: Thu Jun 09, 2005 10:44 am    Post subject: Reply with quote

Thank you! :)
Back to top
View user's profile Send private message
zen_guerrilla
Guru
Guru


Joined: 18 Apr 2002
Posts: 343
Location: Greece

PostPosted: Thu Jun 09, 2005 11:23 am    Post subject: Reply with quote

A nice n' easy practice to avoid the added net load by these attacks (which could become a nice DoS attack, if your box has limited resources) is to make sshd listen on another port (like 666), in /etc/ssh/sshd_config put: "Port 666" & you're done.
Back to top
View user's profile Send private message
amne
Bodhisattva
Bodhisattva


Joined: 17 Nov 2002
Posts: 6378
Location: Graz / EU

PostPosted: Thu Jun 09, 2005 5:21 pm    Post subject: Reply with quote

That's what happened to some folks in i got hacked. what were they up to?

The thread contains some hints how to secure your sshd.

Moved from N&S to Duplicate Threads, please use the other one if anything is still unclear.
_________________
Dinosaur week! (Ok, this thread is so last week)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum