Solved

Hacking attempts and how to limit them.

Posted on 2004-09-18
14
1,987 Views
Last Modified: 2010-04-22
Just recently been going over some of the logs I have mailed to me and was not happy with the amount of hacking attempts I have been getting lately.  I guess the first part of my question is, do I have any recourse against the isp of the perp?  The logs don't list the exact time of the atttempt, but only the ip, user name they tried to log on with, and the date.  

Second question is, is there any way to limit the amount of log in attempts per ip, before totally cutting them off from being able to make another log in attempt, or can I at least add the ip to a list, and have that list "consulted" before offering a log on, or such?

Here is what my list looks like:

 --------------------- pam_unix Begin ------------------------

sshd:
   Invalid Users:
      Unknown Account: 131 Time(s)
   Authentication Failures:
      unknown (61-221-115-35.hinet-ip.hinet.net ): 107 Time(s)
      root (218.158.126.247 ): 18 Time(s)
      root (61-221-115-35.hinet-ip.hinet.net ): 80 Time(s)
      admin (61-221-115-35.hinet-ip.hinet.net ): 54 Time(s)
      admin (218.158.126.247 ): 12 Time(s)
      unknown (218.158.126.247 ): 24 Time(s)


 ---------------------- pam_unix End -------------------------
 --------------------- SSHD Begin ------------------------


Failed logins from these:
   admin/password from 218.158.126.247: 12 Time(s)
   admin/password from 61.221.115.35: 54 Time(s)
   guest/password from 218.158.126.247: 6 Time(s)
   guest/password from 61.221.115.35: 27 Time(s)
   root/password from 218.158.126.247: 18 Time(s)
   root/password from 61.221.115.35: 80 Time(s)
   test/password from 218.158.126.247: 12 Time(s)
   test/password from 61.221.115.35: 53 Time(s)
   user/password from 218.158.126.247: 6 Time(s)
   user/password from 61.221.115.35: 27 Time(s)

**Unmatched Entries**
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35

 ---------------------- SSHD End -------------------------
Did a tracert and came up with:

Tracing route to 61-221-115-35.HINET-IP.hinet.net [61.221.115.35]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2    14 ms    11 ms    12 ms  10.117.96.1
  3    10 ms    13 ms    10 ms  172.30.24.81
  4    20 ms    19 ms    20 ms  12.126.174.21
  5    22 ms    19 ms    19 ms  gbr6-p30.wswdc.ip.att.net [12.123.9.70]
  6    23 ms    23 ms    23 ms  tbr2-p013701.wswdc.ip.att.net [12.122.11.189]
  7    21 ms    19 ms    20 ms  ggr2-p3120.wswdc.ip.att.net [12.123.9.117]
  8    20 ms    24 ms    23 ms  so-0-1-0.BR2.DCA5.ALTER.NET [204.255.169.1]
  9    24 ms    28 ms    23 ms  0.so-4-3-0.XL1.DCA5.ALTER.NET [152.63.48.178]
 10    26 ms    23 ms    23 ms  0.so-0-0-0.TL1.DCA6.ALTER.NET [152.63.38.69]
 11    99 ms    99 ms    99 ms  0.so-5-0-0.TL1.SCL2.ALTER.NET [152.63.1.33]
 12    98 ms    95 ms    95 ms  0.so-7-0-0.XL1.PAO1.ALTER.NET [152.63.54.133]
 13    95 ms    95 ms    95 ms  POS6-0.IG3.PAO1.ALTER.NET [152.63.51.53]
 14    95 ms    95 ms    95 ms  hinet-gw.customer.alter.net [208.214.140.82]
 15    94 ms    95 ms    92 ms  pa-c12r11.USA-PAIX.router.hinet.net [202.39.83.193]
 16   226 ms   227 ms   227 ms  tp-s2-c12r31.router.hinet.net [211.72.108.130]
 17   227 ms   227 ms   227 ms  tp-s2-c12r1.router.hinet.net [211.75.91.202]
 18   229 ms   227 ms   228 ms  tc-c12r1.router.hinet.net [210.65.2.29]
 19   228 ms   227 ms   227 ms  tc-c6r1.router.hinet.net [168.95.254.130]
 20   232 ms   231 ms   233 ms  h197.s144.ts.hinet.net [168.95.144.197]
 21   417 ms   407 ms   412 ms  61-221-115-33.HINET-IP.hinet.net [61.221.115.33]
 22   404 ms   411 ms   404 ms  61-221-115-35.HINET-IP.hinet.net [61.221.115.35]

Trace complete.

It really does not say where they are from, but I would assume the US.  EDIT: Found the ISP in Taiwan.

But the main thing is, limiting log on attempts for 5 times before cutting them off completely. (I would'nt want to cut myself off accidently)
0
Comment
Question by:go3team
  • 4
  • 4
  • 3
  • +3
14 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12092368
While it is possible to do account lockout after N failures that probably won't help you here. The lockout operates on the username/password, not the source IP of the attempt. So these crackers could just try a different account.

What's going on there is that there is a vulnerable version of sshd and they are looking to see if yours can be exploited. If it is up to date there's no worries on that account. And as long as all users have good passwords they'd be unlikely to guess a working password.

Since the flood of failed attempts bothers you there are two things you could do. One would be to limit, via IPtables, those IP's allowed to connect to ssh. If you only access the system via ssh from known and fixed IP's this works great but it isn't usable if you don't know ahead of time what IP an valid connection will have. The other choice is to change to port number sshd listens on. This means that the remote client will have to pick a non-standard port number, but it will eliminate the crackers attempts.
0
 

Author Comment

by:go3team
ID: 12092610
How would I go about implementing both?  Certain Ip ranges along with the port number?  Thanks.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092810
how about iptables with the -m limit option for SYN requests on port 22
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12093196
If you set a default DENY stance for the INPUT chain:

iptables -P INPUT DROP

you can then use explicit permits like:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
--or--
iptables -A INPUT -p tcp -s 2.3.4.0/24 --dport 22 -j ACCEPT

to accept connections from a single IP at 1.2.3.4 or the Class C network 2.3.4.0.
0
 

Author Comment

by:go3team
ID: 12093714
What about a variable range for the iptables request?  My IP changes every once in a while.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12093851
The IPtables rules I show above are operating on the client side (source) of the ssh connection, not the IP of  local machine that is reporting the failed connections. They allow only the named IP's to connect to the machine running sshd. IPtables allows for a source IP (-s 1.2.3.4) or a proper subnet (-s 2.3.4.0/24) to be specified. And arbitrary range of IP's can't be specified.
0
 

Author Comment

by:go3team
ID: 12093881
I guess I should add, it is a remote server on the other side of the country.  I just don't want to lock myself out, should my isp change my IP in the future.  I guess I could change it to some off the wall port, to ease my mind.  
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 40

Expert Comment

by:jlevie
ID: 12094089
Ah, I see. You could set the IP restrictions to cover the network range that you migh possibly be in or even the entire range of IP's delegated to your ISP. That would pretty well ensure that you could still log in to the server in the future while still closing out the majority of the Internet.

The other choice, of course, is to switch sshd to a non-standard port.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12096867
hmm, never tested it this way, but worth a try.
using the limit match avoids the source IP problem, while you have no problems connecting to ssh if you know the rules (only 3 attempts per minute -if you misstype your passowrd for example-)

iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN -m limit --limit 3/m -j ACCEPT
0
 

Author Comment

by:go3team
ID: 12097083
ahoffmann, I get this response:

root@remote [~]# iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN -m limit --limit 3/m -j ACCEPT
iptables v1.2.7a: --tcp-flags requires two args.
Try `iptables -h' or 'iptables --help' for more information.
0
 
LVL 4

Accepted Solution

by:
beem4n earned 250 total points
ID: 12149392
Hi,

just use the next:
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 3/m -j ACCEPT

0
 
LVL 6

Expert Comment

by:prof666
ID: 12153774
Rather than using IPTABLES to block IP addresses why dont you use Public/Private Keys for SSH?? This will stop people at the front door before that dont have your key. They get bounced straight away and will never appear in your logs (as there is no  way they can even talk to the SSH server). I used to get the same deal as you with people running password grinders against port 22, but now with P/P keys the level of attempts has dropped to almost nothing.

For more infor read:

http://www.net-security.org/news.php?id=4960

Da Proff
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12153843
> ..  use Public/Private Keys for SSH?? This will stop  ..
no, it does not stop trying people to check for a vulnerable sshd, just the password and/or username guessing
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12167053
I posted a comment at the bottom of this question but i'd say the same applies here
http://www.experts-exchange.com/Security/Linux_Security/Q_21128711.html

the ones trying user and guest are just kidy scan tools nothing to really worry about, make sure your using ssh2 or newer and you have a nice complex password.
if you follow those guide lines you should be ok, but just incase your still worried you could disable remote ssh and pptp to you machine and ssh remotly that way.

hope that helps
cheers
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now