SSH [SOLVED]: who is trying to brute-force my password?

SSH [SOLVED]: who is trying to brute-force my password?

Home Forums SSH SSH [SOLVED]: who is trying to brute-force my password?

Tagged: , , ,

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #35468

    Anonymous

    QuestionQuestion

    I was looking into my log files on my server and I found the following lines in: /var/log/.auth.log.1:

    pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse      r= rhost=218.87.109.156  user=root
    Failed password for root from 218.87.109.156 port 7612 ssh2
    message repeated 5 times: [ Failed password for root from 218.87.109.156 port 7      612 ssh2]
    error: maximum authentication attempts exceeded for root from 218.87.109.156 po      rt 7612 ssh2 [preauth]
    Disconnecting: Too many authentication failures [preauth]
    PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=      218.87.109.156  user=root
    PAM service(sshd) ignoring max retries; 6 > 3
    pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse      r= rhost=218.87.109.156  user=root
    Failed password for root from 218.87.109.156 port 50092 ssh2
    message repeated 5 times: [ Failed password for root from 218.87.109.156 port 5      0092 ssh2]
    Failed password for invalid user service from 188.187.119.158 port 52722 ssh2
    pam_unix(sshd:auth): check pass; user unknown
    Failed password for root from 113.195.145.79 port 6500 ssh2
    Received disconnect from 121.18.238.39 port 58070:11:  [preauth]
    Failed password for root from 121.18.238.119 port 57538 ssh2
    Failed password for root from 121.18.238.39 port 57268 ssh2
    Failed password for root from 121.18.238.106 port 34360 ssh2
    Disconnected from 92.222.216.31 port 58960 [preauth]
    Invalid user truman from 92.222.216.31
    Received disconnect from 92.222.216.31 port 33922:11: Normal Shutdown, Thank you       for playing [preauth]
    input_userauth_request: invalid user truman [preauth]
    

    And it keeps going on like this for thousands of lines!

    And also somewhere I have:

    Nov 30 13:17:01 Aran CRON[6038]: pam_unix(cron:session): session opened for user root by (uid=0)
    

    What does CRON mean in here?
    so can somebody please explain to me what are these logs? Am I in danger? what should I do to get myself more secure?

    #35469

    Anonymous

    Accepted AnswerAnswer

    This answer doesn’t really answer who is trying to log into your host, but it can give you an idea of where the person is coming from.

    If you’re going to use passwords for logging in through ssh, you should take some precautions as to people trying to hack into your system. For my personal use I like to use fail2ban and then I wrote my own script that uses iptables and ipset. The latter part I use for complete blocking of country IPs from coming in to my host on port 22. I have also installed geoiplookup as a way to see where the IP is coming from to decide if I want to block the country or not. The script I have below obtains the sets of IPs from ipdeny.com. It has drastically reduced the amount of attempts on my host since I leave port 22 open most of the time.


    Installing fail2ban:

    sudo apt install fail2ban
    

    Usually with fail2ban the default settings are OK. If you want to change them make sure to copy /etc/fail2ban/jail.conf as /etc/fail2ban/jail.local and make the modifications to the jail.local file you have created. You can also see failed attempts in the /var/log/fail2ban.log file.


    Installing geoiplookup:

    sudo apt install geoip-bin
    

    Then you can see where the IP addresses are coming from.

    ~$ geoiplookup 218.87.109.156
    GeoIP Country Edition: CN, China
    

    The country blocking script that I created.

    A required application for the country block is ipset. This application allows iptables to use a block of IPs instead of showing every individual IP address when you check the status of iptables.

    sudo apt install ipset
    

    I am certain that there is a lot that can be cleaned up. I put mine in my home folder and called it country_block.bsh. Since the script makes changes to iptables it has to be called from sudo. I did add the check into the script.

    #!/bin/bash
    
    function custom(){
        echo "Removing CUSTOM_IP set..."
        prts=$(iptables -nvL INPUT | grep "CUSTOM_IP" | awk '{print $15}')
        iptables -D INPUT -p tcp -m set --match-set CUSTOM_IP src -m multiport --dport ${prts} -j DROP 2>/dev/null
        ipset destroy CUSTOM_IP
        ipset -N CUSTOM_IP hash:net
        echo "Creating CUSTOM_IP set..."
        for i in $(cat custom.zone); do ipset -A CUSTOM_IP $i; done
        echo "Creating rules for CUSTOM_IP set..."
        iptables -A INPUT -p tcp -m set --match-set CUSTOM_IP src -m multiport --dports ${ports} -j DROP
    }
    
    function tablecheck(){
        iptables -S INPUT | grep -v ACCEPT 
    }
    
    # Check for ipset
    which ipset >/dev/null
    case $? in
    1) echo "ipset not found on system.  Please install ipset application."
    exit 1;;
    0);;
    esac
    
    
    # Check for root
    if [ "$EUID" -ne 0 ]; then
      echo "Please run this script as root"
      exit 1
    fi
    
    # Set ports
    ports=22,10000
    
    # Check for country codes, if none, print list.
    if [[ $@ == "" ]]; then
        curl http://www.ipdeny.com/ipblocks/ 2>/dev/null | grep "<td>" | awk -F'<p>' '{print $2}' | awk -F'[' '{print $1}' | grep -v -e '^$'
        echo "Choose any of the countries by typing in the two letter code between the ( )."
        exit
    fi
    
    if [[ $1 == "custom" ]]; then
        if [ ! -f custom.zone ]; then
            echo "Missing custom.zone file.  Please create custom.zone file with IP addresses for blocking."
            exit
        fi
        custom
        tablecheck
        exit
    fi
    
    
    #Set ISO to country code(s).
    ISO=$@
    
    #Start Loop for country IP blocks and creating IPTABLES chain(s).
    for c in $ISO; do
    
        #Convert to lowercase.  If already lowercase, ignored.
        c=$(echo $c | awk '{print tolower($0)}')
        #Match code to country name
        country=$(curl http://www.ipdeny.com/ipblocks/ 2>/dev/null | grep ($(echo $c | awk '{print toupper($0)}')) | awk -F'<p>' '{print $2}' | awk -F'(' '{print $1}' | sed 's/ //g' | sed 's/,//g')
    
        # Truncate to 31 characters if too long.
        country=${country:0:31}
        echo "Got country $country..."
    
        echo "Removing Existing Rule for $country (if any)..."
        prts=$(iptables -nvL INPUT | grep "$country" | awk '{print $15}')
        iptables -D INPUT -p tcp -m set --match-set "$country" src -m multiport --dport ${prts} -j DROP 2>/dev/null
        ipset destroy $country
        ipset -N $country hash:net
        rm $c.zone 2>/dev/null
    
        echo "Downloading IP block for $country..."
        wget -P . http://www.ipdeny.com/ipblocks/data/countries/$c.zone 2>/dev/null
        echo "Checking for invalid IP ranges in $country zone..."
        for i in $(seq 1 7); do grep "/$i$" $c.zone; if [[ $? == "0" ]]; then sed -i "s//${i}$//24/" $c.zone; echo "Fixed..."; fi; done
        echo "Creating iptable block for $country..."
        for i in $(cat $c.zone); do ipset -A "$country" $i; done
    
        echo "Adding rule to firewall..."
        iptables -A INPUT -p tcp -m set --match-set "$country" src -m multiport --dports ${ports} -j DROP
    
        echo "Added Firewall Rule for $country"
        rm $c.zone 2>/dev/null
    done
    
    if [[ $# == "1" || $1 -ne "custom" ]]; then
        tablecheck
    else
        if [ ! -f custom.zone ]; then
            echo "Missing custom.zone file.  Please create custom.zone file with IP addresses for blocking."
            tablecheck
            exit
        fi
        custom
    fi
    
    if [[ $# -ne "1" ]]; then
        tablecheck
    fi
    
    #iptables -S INPUT | grep -v ACCEPT 
    

    You can then create a custom.zone in the same folder as the country_block.bsh file with just IPs that might be trying over and over again to hack your system. Add them with a /32 at the end of the IP address like 217.99.238.106/32. After you add your own custom IPs, you can reload them in simply by running:

    sudo ./country_block.bsh custom
    

    Be careful not to block your own country or your own public IP.

    Also be careful not to block any other ports that are not open. If you block port 80, there is a chance that if you visit a website from that country it will not load because it cannot return to your system on port 80.

    Then I created another script in my home folder called cb_update.bsh that contains all the countries I want to block.

    #!/bin/bash
    
    cd /home/terrance/scripts/
    ./country_block.bsh cn ru nl de dk fr id ie it kr sg tw vn br ua pt il gb jp pk ar co fi in
    

    Then I added the following lines to my /etc/crontab file. It covers every time my system reboots and it updates the list at 01:05 in the morning.

    $ cat /etc/crontab
    
    @reboot     root    /bin/bash -c 'sleep 20 && /home/terrance/cb_update.bsh'
    01 05   * * *   root    /home/terrance/cb_update.bsh
    

    If you run the script by itself, it will give you the country codes:

    terrance@terrance-ubuntu:~/scripts$ sudo ./country_block.bsh 
    AFGHANISTAN (AF) 
    LAND ISLANDS (AX) 
    ALBANIA (AL) 
    ALGERIA (DZ) 
    AMERICAN SAMOA (AS) 
    ANDORRA (AD) 
    ANGOLA (AO) 
    ANGUILLA (AI) 
    ANTIGUA AND BARBUDA (AG) 
    ARGENTINA (AR) 
    ARMENIA (AM) 
    ARUBA (AW) 
    AUSTRALIA (AU) 
    AUSTRIA (AT) 
    AZERBAIJAN (AZ) 
    BAHAMAS (BS) 
    BAHRAIN (BH) 
    BANGLADESH (BD) 
    BARBADOS (BB) 
    BELARUS (BY) 
    BELGIUM (BE) 
    BELIZE (BZ) 
    BENIN (BJ) 
    BERMUDA (BM) 
    BHUTAN (BT) 
    BOLIVIA (BO) 
    BOSNIA AND HERZEGOVINA (BA) 
    BOTSWANA (BW) 
    BRAZIL (BR) 
    BRITISH INDIAN OCEAN TERRITORY (IO) 
    BRUNEI DARUSSALAM (BN) 
    BULGARIA (BG) 
    BURKINA FASO (BF) 
    BURUNDI (BI) 
    CAMBODIA (KH) 
    CAMEROON (CM) 
    CANADA (CA) 
    CAPE VERDE (CV) 
    CAYMAN ISLANDS (KY) 
    CENTRAL AFRICAN REPUBLIC (CF) 
    CHAD (TD) 
    CHILE (CL) 
    CHINA (CN) 
    COLOMBIA (CO) 
    COMOROS (KM) 
    CONGO (CG) 
    CONGO, THE DEMOCRATIC REPUBLIC OF THE (CD) 
    COOK ISLANDS (CK) 
    COSTA RICA (CR) 
    COTE D'IVOIRE (CI) 
    CROATIA (HR) 
    CUBA (CU) 
    CYPRUS (CY) 
    CZECH REPUBLIC (CZ) 
    DENMARK (DK) 
    DJIBOUTI (DJ) 
    DOMINICA (DM) 
    DOMINICAN REPUBLIC (DO) 
    ECUADOR (EC) 
    EGYPT (EG) 
    EL SALVADOR (SV) 
    EQUATORIAL GUINEA (GQ) 
    ERITREA (ER) 
    ESTONIA (EE) 
    ETHIOPIA (ET) 
    FAROE ISLANDS (FO) 
    FIJI (FJ) 
    FINLAND (FI) 
    FRANCE (FR) 
    FRENCH GUIANA (GF) 
    FRENCH POLYNESIA (PF) 
    GABON (GA) 
    GAMBIA (GM) 
    GEORGIA (GE) 
    GERMANY (DE) 
    GHANA (GH) 
    GIBRALTAR (GI) 
    GREECE (GR) 
    GREENLAND (GL) 
    GRENADA (GD) 
    GUADELOUPE (GP) 
    GUAM (GU) 
    GUATEMALA (GT) 
    GUINEA (GN) 
    GUINEA-BISSAU (GW) 
    GUYANA (GY) 
    HAITI (HT) 
    HOLY SEE (VATICAN CITY STATE) (VA) 
    HONDURAS (HN) 
    HONG KONG (HK) 
    HUNGARY (HU) 
    ICELAND (IS) 
    INDIA (IN) 
    INDONESIA (ID) 
    IRAN, ISLAMIC REPUBLIC OF (IR) 
    IRAQ (IQ) 
    IRELAND (IE) 
    ISLE OF MAN (IM) 
    ISRAEL (IL) 
    ITALY (IT) 
    JAMAICA (JM) 
    JAPAN (JP) 
    JERSEY (JE) 
    JORDAN (JO) 
    KAZAKHSTAN (KZ) 
    KENYA (KE) 
    KIRIBATI (KI) 
    KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF (KP) 
    KOREA, REPUBLIC OF (KR) 
    KUWAIT (KW) 
    KYRGYZSTAN (KG) 
    LAO PEOPLE'S DEMOCRATIC REPUBLIC (LA) 
    LATVIA (LV) 
    LEBANON (LB) 
    LESOTHO (LS) 
    LIBERIA (LR) 
    LIBYAN ARAB JAMAHIRIYA (LY) 
    LIECHTENSTEIN (LI) 
    LITHUANIA (LT) 
    LUXEMBOURG (LU) 
    MACAO (MO) 
    MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF (MK) 
    MADAGASCAR (MG) 
    MALAWI (MW) 
    MALAYSIA (MY) 
    MALDIVES (MV) 
    MALI (ML) 
    MALTA (MT) 
    MARSHALL ISLANDS (MH) 
    MARTINIQUE (MQ) 
    MAURITANIA (MR) 
    MAURITIUS (MU) 
    MAYOTTE (YT) 
    MEXICO (MX) 
    MICRONESIA, FEDERATED STATES OF (FM) 
    MOLDOVA, REPUBLIC OF (MD) 
    MONACO (MC) 
    MONGOLIA (MN) 
    MONTENEGRO (ME) 
    MONTSERRAT (MS) 
    MOROCCO (MA) 
    MOZAMBIQUE (MZ) 
    MYANMAR (MM) 
    NAMIBIA (NA) 
    NAURU (NR) 
    NEPAL (NP) 
    NETHERLANDS (NL) 
    NEW CALEDONIA (NC) 
    NEW ZEALAND (NZ) 
    NICARAGUA (NI) 
    NIGER (NE) 
    NIGERIA (NG) 
    NIUE (NU) 
    NORFOLK ISLAND (NF) 
    NORTHERN MARIANA ISLANDS (MP) 
    NORWAY (NO) 
    OMAN (OM) 
    PAKISTAN (PK) 
    PALAU (PW) 
    PALESTINIAN TERRITORY, OCCUPIED (PS) 
    PANAMA (PA) 
    PAPUA NEW GUINEA (PG) 
    PARAGUAY (PY) 
    PERU (PE) 
    PHILIPPINES (PH) 
    POLAND (PL) 
    PORTUGAL (PT) 
    PUERTO RICO (PR) 
    QATAR (QA) 
    REUNION (RE) 
    ROMANIA (RO) 
    RUSSIAN FEDERATION (RU) 
    RWANDA (RW) 
    SAINT KITTS AND NEVIS (KN) 
    SAINT LUCIA (LC) 
    SAINT PIERRE AND MIQUELON (PM) 
    SAINT VINCENT AND THE GRENADINES (VC) 
    SAMOA (WS) 
    SAN MARINO (SM) 
    SAO TOME AND PRINCIPE (ST) 
    SAUDI ARABIA (SA) 
    SENEGAL (SN) 
    SERBIA (RS) 
    SEYCHELLES (SC) 
    SIERRA LEONE (SL) 
    SINGAPORE (SG) 
    SLOVAKIA (SK) 
    SLOVENIA (SI) 
    SOLOMON ISLANDS (SB) 
    SOMALIA (SO) 
    SOUTH AFRICA (ZA) 
    SPAIN (ES) 
    SRI LANKA (LK) 
    SUDAN (SD) 
    SURINAME (SR) 
    SWAZILAND (SZ) 
    SWEDEN (SE) 
    SWITZERLAND (CH) 
    SYRIAN ARAB REPUBLIC (SY) 
    TAIWAN (TW) 
    TAJIKISTAN (TJ) 
    TANZANIA, UNITED REPUBLIC OF (TZ) 
    THAILAND (TH) 
    TIMOR-LESTE (TL) 
    TOGO (TG) 
    TOKELAU (TK) 
    TONGA (TO) 
    TRINIDAD AND TOBAGO (TT) 
    TUNISIA (TN) 
    TURKEY (TR) 
    TURKMENISTAN (TM) 
    TURKS AND CAICOS ISLANDS (TC) 
    TUVALU (TV) 
    UGANDA (UG) 
    UKRAINE (UA) 
    UNITED ARAB EMIRATES (AE) 
    UNITED KINGDOM (GB) 
    UNITED STATES (US) 
    UNITED STATES MINOR OUTLYING ISLANDS (UM) 
    URUGUAY (UY) 
    UZBEKISTAN (UZ) 
    VANUATU (VU) 
    VENEZUELA (VE) 
    VIET NAM (VN) 
    VIRGIN ISLANDS, BRITISH (VG) 
    VIRGIN ISLANDS, U.S. (VI) 
    WALLIS AND FUTUNA (WF) 
    YEMEN (YE) 
    ZAMBIA (ZM) 
    ZIMBABWE (ZW) 
    Choose any of the countries by typing in the two letter code between the ( ).
    

    You can then check at anytime the hits that might be happening to your system.

    $ sudo iptables -nvL INPUT
    Chain INPUT (policy ACCEPT 9523 packets, 3125K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
        0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
        0     0 f2b-proftpd  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 21,20,990,989
     2847  170K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
       12   548 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set CHINA src multiport dports 22,10000
        4   176 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set RUSSIANFEDERATION src multiport dports 22,10000
        1    44 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set NETHERLANDS src multiport dports 22,10000
        2    88 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set GERMANY src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set DENMARK src multiport dports 22,10000
      157  8156 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set FRANCE src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set INDONESIA src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set IRELAND src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ITALY src multiport dports 22,10000
        4   180 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set KOREAREPUBLICOF src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set SINGAPORE src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TAIWAN src multiport dports 22,10000
      947 48804 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set VIETNAM src multiport dports 22,10000
        2    92 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set BRAZIL src multiport dports 22,10000
        6   264 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set UKRAINE src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PORTUGAL src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ISRAEL src multiport dports 22,10000
        3   180 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set UNITEDKINGDOM src multiport dports 22,10000
        1    44 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set JAPAN src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PAKISTAN src multiport dports 22,10000
        2    88 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ARGENTINA src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set COLOMBIA src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set FINLAND src multiport dports 22,10000
        4   188 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set INDIA src multiport dports 22,10000
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set CUSTOM_IP src multiport dports 22,10000
    

    Hope this helps!

    Source: https://askubuntu.com/questions/983576/who-is-trying-to-brute-force-my-password
    Author: Terrance
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.