Hacking attempts and how to limit them.

Just recently been going over some of the logs I have mailed to me and was not happy with the amount of hacking attempts I have been getting lately.  I guess the first part of my question is, do I have any recourse against the isp of the perp?  The logs don't list the exact time of the atttempt, but only the ip, user name they tried to log on with, and the date.  

Second question is, is there any way to limit the amount of log in attempts per ip, before totally cutting them off from being able to make another log in attempt, or can I at least add the ip to a list, and have that list "consulted" before offering a log on, or such?

Here is what my list looks like:

 --------------------- pam_unix Begin ------------------------

sshd:
   Invalid Users:
      Unknown Account: 131 Time(s)
   Authentication Failures:
      unknown (61-221-115-35.hinet-ip.hinet.net ): 107 Time(s)
      root (218.158.126.247 ): 18 Time(s)
      root (61-221-115-35.hinet-ip.hinet.net ): 80 Time(s)
      admin (61-221-115-35.hinet-ip.hinet.net ): 54 Time(s)
      admin (218.158.126.247 ): 12 Time(s)
      unknown (218.158.126.247 ): 24 Time(s)


 ---------------------- pam_unix End -------------------------
 --------------------- SSHD Begin ------------------------


Failed logins from these:
   admin/password from 218.158.126.247: 12 Time(s)
   admin/password from 61.221.115.35: 54 Time(s)
   guest/password from 218.158.126.247: 6 Time(s)
   guest/password from 61.221.115.35: 27 Time(s)
   root/password from 218.158.126.247: 18 Time(s)
   root/password from 61.221.115.35: 80 Time(s)
   test/password from 218.158.126.247: 12 Time(s)
   test/password from 61.221.115.35: 53 Time(s)
   user/password from 218.158.126.247: 6 Time(s)
   user/password from 61.221.115.35: 27 Time(s)

**Unmatched Entries**
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35

 ---------------------- SSHD End -------------------------
Did a tracert and came up with:

Tracing route to 61-221-115-35.HINET-IP.hinet.net [61.221.115.35]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2    14 ms    11 ms    12 ms  10.117.96.1
  3    10 ms    13 ms    10 ms  172.30.24.81
  4    20 ms    19 ms    20 ms  12.126.174.21
  5    22 ms    19 ms    19 ms  gbr6-p30.wswdc.ip.att.net [12.123.9.70]
  6    23 ms    23 ms    23 ms  tbr2-p013701.wswdc.ip.att.net [12.122.11.189]
  7    21 ms    19 ms    20 ms  ggr2-p3120.wswdc.ip.att.net [12.123.9.117]
  8    20 ms    24 ms    23 ms  so-0-1-0.BR2.DCA5.ALTER.NET [204.255.169.1]
  9    24 ms    28 ms    23 ms  0.so-4-3-0.XL1.DCA5.ALTER.NET [152.63.48.178]
 10    26 ms    23 ms    23 ms  0.so-0-0-0.TL1.DCA6.ALTER.NET [152.63.38.69]
 11    99 ms    99 ms    99 ms  0.so-5-0-0.TL1.SCL2.ALTER.NET [152.63.1.33]
 12    98 ms    95 ms    95 ms  0.so-7-0-0.XL1.PAO1.ALTER.NET [152.63.54.133]
 13    95 ms    95 ms    95 ms  POS6-0.IG3.PAO1.ALTER.NET [152.63.51.53]
 14    95 ms    95 ms    95 ms  hinet-gw.customer.alter.net [208.214.140.82]
 15    94 ms    95 ms    92 ms  pa-c12r11.USA-PAIX.router.hinet.net [202.39.83.193]
 16   226 ms   227 ms   227 ms  tp-s2-c12r31.router.hinet.net [211.72.108.130]
 17   227 ms   227 ms   227 ms  tp-s2-c12r1.router.hinet.net [211.75.91.202]
 18   229 ms   227 ms   228 ms  tc-c12r1.router.hinet.net [210.65.2.29]
 19   228 ms   227 ms   227 ms  tc-c6r1.router.hinet.net [168.95.254.130]
 20   232 ms   231 ms   233 ms  h197.s144.ts.hinet.net [168.95.144.197]
 21   417 ms   407 ms   412 ms  61-221-115-33.HINET-IP.hinet.net [61.221.115.33]
 22   404 ms   411 ms   404 ms  61-221-115-35.HINET-IP.hinet.net [61.221.115.35]

Trace complete.

It really does not say where they are from, but I would assume the US.  EDIT: Found the ISP in Taiwan.

But the main thing is, limiting log on attempts for 5 times before cutting them off completely. (I would'nt want to cut myself off accidently)
go3teamAsked:
Who is Participating?
 
beem4nConnect With a Mentor Commented:
Hi,

just use the next:
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 3/m -j ACCEPT

0
 
jlevieCommented:
While it is possible to do account lockout after N failures that probably won't help you here. The lockout operates on the username/password, not the source IP of the attempt. So these crackers could just try a different account.

What's going on there is that there is a vulnerable version of sshd and they are looking to see if yours can be exploited. If it is up to date there's no worries on that account. And as long as all users have good passwords they'd be unlikely to guess a working password.

Since the flood of failed attempts bothers you there are two things you could do. One would be to limit, via IPtables, those IP's allowed to connect to ssh. If you only access the system via ssh from known and fixed IP's this works great but it isn't usable if you don't know ahead of time what IP an valid connection will have. The other choice is to change to port number sshd listens on. This means that the remote client will have to pick a non-standard port number, but it will eliminate the crackers attempts.
0
 
go3teamAuthor Commented:
How would I go about implementing both?  Certain Ip ranges along with the port number?  Thanks.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ahoffmannCommented:
how about iptables with the -m limit option for SYN requests on port 22
0
 
jlevieCommented:
If you set a default DENY stance for the INPUT chain:

iptables -P INPUT DROP

you can then use explicit permits like:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
--or--
iptables -A INPUT -p tcp -s 2.3.4.0/24 --dport 22 -j ACCEPT

to accept connections from a single IP at 1.2.3.4 or the Class C network 2.3.4.0.
0
 
go3teamAuthor Commented:
What about a variable range for the iptables request?  My IP changes every once in a while.
0
 
jlevieCommented:
The IPtables rules I show above are operating on the client side (source) of the ssh connection, not the IP of  local machine that is reporting the failed connections. They allow only the named IP's to connect to the machine running sshd. IPtables allows for a source IP (-s 1.2.3.4) or a proper subnet (-s 2.3.4.0/24) to be specified. And arbitrary range of IP's can't be specified.
0
 
go3teamAuthor Commented:
I guess I should add, it is a remote server on the other side of the country.  I just don't want to lock myself out, should my isp change my IP in the future.  I guess I could change it to some off the wall port, to ease my mind.  
0
 
jlevieCommented:
Ah, I see. You could set the IP restrictions to cover the network range that you migh possibly be in or even the entire range of IP's delegated to your ISP. That would pretty well ensure that you could still log in to the server in the future while still closing out the majority of the Internet.

The other choice, of course, is to switch sshd to a non-standard port.
0
 
ahoffmannCommented:
hmm, never tested it this way, but worth a try.
using the limit match avoids the source IP problem, while you have no problems connecting to ssh if you know the rules (only 3 attempts per minute -if you misstype your passowrd for example-)

iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN -m limit --limit 3/m -j ACCEPT
0
 
go3teamAuthor Commented:
ahoffmann, I get this response:

root@remote [~]# iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN -m limit --limit 3/m -j ACCEPT
iptables v1.2.7a: --tcp-flags requires two args.
Try `iptables -h' or 'iptables --help' for more information.
0
 
prof666Commented:
Rather than using IPTABLES to block IP addresses why dont you use Public/Private Keys for SSH?? This will stop people at the front door before that dont have your key. They get bounced straight away and will never appear in your logs (as there is no  way they can even talk to the SSH server). I used to get the same deal as you with people running password grinders against port 22, but now with P/P keys the level of attempts has dropped to almost nothing.

For more infor read:

http://www.net-security.org/news.php?id=4960

Da Proff
0
 
ahoffmannCommented:
> ..  use Public/Private Keys for SSH?? This will stop  ..
no, it does not stop trying people to check for a vulnerable sshd, just the password and/or username guessing
0
 
funkusmunkusCommented:
I posted a comment at the bottom of this question but i'd say the same applies here
http://www.experts-exchange.com/Security/Linux_Security/Q_21128711.html

the ones trying user and guest are just kidy scan tools nothing to really worry about, make sure your using ssh2 or newer and you have a nice complex password.
if you follow those guide lines you should be ok, but just incase your still worried you could disable remote ssh and pptp to you machine and ssh remotly that way.

hope that helps
cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.