Solved

Hacking attempts and how to limit them.

Posted on 2004-09-18
14
1,993 Views
Last Modified: 2010-04-22
Just recently been going over some of the logs I have mailed to me and was not happy with the amount of hacking attempts I have been getting lately.  I guess the first part of my question is, do I have any recourse against the isp of the perp?  The logs don't list the exact time of the atttempt, but only the ip, user name they tried to log on with, and the date.  

Second question is, is there any way to limit the amount of log in attempts per ip, before totally cutting them off from being able to make another log in attempt, or can I at least add the ip to a list, and have that list "consulted" before offering a log on, or such?

Here is what my list looks like:

 --------------------- pam_unix Begin ------------------------

sshd:
   Invalid Users:
      Unknown Account: 131 Time(s)
   Authentication Failures:
      unknown (61-221-115-35.hinet-ip.hinet.net ): 107 Time(s)
      root (218.158.126.247 ): 18 Time(s)
      root (61-221-115-35.hinet-ip.hinet.net ): 80 Time(s)
      admin (61-221-115-35.hinet-ip.hinet.net ): 54 Time(s)
      admin (218.158.126.247 ): 12 Time(s)
      unknown (218.158.126.247 ): 24 Time(s)


 ---------------------- pam_unix End -------------------------
 --------------------- SSHD Begin ------------------------


Failed logins from these:
   admin/password from 218.158.126.247: 12 Time(s)
   admin/password from 61.221.115.35: 54 Time(s)
   guest/password from 218.158.126.247: 6 Time(s)
   guest/password from 61.221.115.35: 27 Time(s)
   root/password from 218.158.126.247: 18 Time(s)
   root/password from 61.221.115.35: 80 Time(s)
   test/password from 218.158.126.247: 12 Time(s)
   test/password from 61.221.115.35: 53 Time(s)
   user/password from 218.158.126.247: 6 Time(s)
   user/password from 61.221.115.35: 27 Time(s)

**Unmatched Entries**
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user guest from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user user from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 218.158.126.247
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user guest from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user user from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35
Illegal user test from 61.221.115.35

 ---------------------- SSHD End -------------------------
Did a tracert and came up with:

Tracing route to 61-221-115-35.HINET-IP.hinet.net [61.221.115.35]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2    14 ms    11 ms    12 ms  10.117.96.1
  3    10 ms    13 ms    10 ms  172.30.24.81
  4    20 ms    19 ms    20 ms  12.126.174.21
  5    22 ms    19 ms    19 ms  gbr6-p30.wswdc.ip.att.net [12.123.9.70]
  6    23 ms    23 ms    23 ms  tbr2-p013701.wswdc.ip.att.net [12.122.11.189]
  7    21 ms    19 ms    20 ms  ggr2-p3120.wswdc.ip.att.net [12.123.9.117]
  8    20 ms    24 ms    23 ms  so-0-1-0.BR2.DCA5.ALTER.NET [204.255.169.1]
  9    24 ms    28 ms    23 ms  0.so-4-3-0.XL1.DCA5.ALTER.NET [152.63.48.178]
 10    26 ms    23 ms    23 ms  0.so-0-0-0.TL1.DCA6.ALTER.NET [152.63.38.69]
 11    99 ms    99 ms    99 ms  0.so-5-0-0.TL1.SCL2.ALTER.NET [152.63.1.33]
 12    98 ms    95 ms    95 ms  0.so-7-0-0.XL1.PAO1.ALTER.NET [152.63.54.133]
 13    95 ms    95 ms    95 ms  POS6-0.IG3.PAO1.ALTER.NET [152.63.51.53]
 14    95 ms    95 ms    95 ms  hinet-gw.customer.alter.net [208.214.140.82]
 15    94 ms    95 ms    92 ms  pa-c12r11.USA-PAIX.router.hinet.net [202.39.83.193]
 16   226 ms   227 ms   227 ms  tp-s2-c12r31.router.hinet.net [211.72.108.130]
 17   227 ms   227 ms   227 ms  tp-s2-c12r1.router.hinet.net [211.75.91.202]
 18   229 ms   227 ms   228 ms  tc-c12r1.router.hinet.net [210.65.2.29]
 19   228 ms   227 ms   227 ms  tc-c6r1.router.hinet.net [168.95.254.130]
 20   232 ms   231 ms   233 ms  h197.s144.ts.hinet.net [168.95.144.197]
 21   417 ms   407 ms   412 ms  61-221-115-33.HINET-IP.hinet.net [61.221.115.33]
 22   404 ms   411 ms   404 ms  61-221-115-35.HINET-IP.hinet.net [61.221.115.35]

Trace complete.

It really does not say where they are from, but I would assume the US.  EDIT: Found the ISP in Taiwan.

But the main thing is, limiting log on attempts for 5 times before cutting them off completely. (I would'nt want to cut myself off accidently)
0
Comment
Question by:go3team
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +3
14 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12092368
While it is possible to do account lockout after N failures that probably won't help you here. The lockout operates on the username/password, not the source IP of the attempt. So these crackers could just try a different account.

What's going on there is that there is a vulnerable version of sshd and they are looking to see if yours can be exploited. If it is up to date there's no worries on that account. And as long as all users have good passwords they'd be unlikely to guess a working password.

Since the flood of failed attempts bothers you there are two things you could do. One would be to limit, via IPtables, those IP's allowed to connect to ssh. If you only access the system via ssh from known and fixed IP's this works great but it isn't usable if you don't know ahead of time what IP an valid connection will have. The other choice is to change to port number sshd listens on. This means that the remote client will have to pick a non-standard port number, but it will eliminate the crackers attempts.
0
 

Author Comment

by:go3team
ID: 12092610
How would I go about implementing both?  Certain Ip ranges along with the port number?  Thanks.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12092810
how about iptables with the -m limit option for SYN requests on port 22
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 40

Expert Comment

by:jlevie
ID: 12093196
If you set a default DENY stance for the INPUT chain:

iptables -P INPUT DROP

you can then use explicit permits like:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
--or--
iptables -A INPUT -p tcp -s 2.3.4.0/24 --dport 22 -j ACCEPT

to accept connections from a single IP at 1.2.3.4 or the Class C network 2.3.4.0.
0
 

Author Comment

by:go3team
ID: 12093714
What about a variable range for the iptables request?  My IP changes every once in a while.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12093851
The IPtables rules I show above are operating on the client side (source) of the ssh connection, not the IP of  local machine that is reporting the failed connections. They allow only the named IP's to connect to the machine running sshd. IPtables allows for a source IP (-s 1.2.3.4) or a proper subnet (-s 2.3.4.0/24) to be specified. And arbitrary range of IP's can't be specified.
0
 

Author Comment

by:go3team
ID: 12093881
I guess I should add, it is a remote server on the other side of the country.  I just don't want to lock myself out, should my isp change my IP in the future.  I guess I could change it to some off the wall port, to ease my mind.  
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12094089
Ah, I see. You could set the IP restrictions to cover the network range that you migh possibly be in or even the entire range of IP's delegated to your ISP. That would pretty well ensure that you could still log in to the server in the future while still closing out the majority of the Internet.

The other choice, of course, is to switch sshd to a non-standard port.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12096867
hmm, never tested it this way, but worth a try.
using the limit match avoids the source IP problem, while you have no problems connecting to ssh if you know the rules (only 3 attempts per minute -if you misstype your passowrd for example-)

iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN -m limit --limit 3/m -j ACCEPT
0
 

Author Comment

by:go3team
ID: 12097083
ahoffmann, I get this response:

root@remote [~]# iptables -A INPUT -p tcp --dport 22 --tcp-flags SYN -m limit --limit 3/m -j ACCEPT
iptables v1.2.7a: --tcp-flags requires two args.
Try `iptables -h' or 'iptables --help' for more information.
0
 
LVL 4

Accepted Solution

by:
beem4n earned 250 total points
ID: 12149392
Hi,

just use the next:
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 3/m -j ACCEPT

0
 
LVL 6

Expert Comment

by:prof666
ID: 12153774
Rather than using IPTABLES to block IP addresses why dont you use Public/Private Keys for SSH?? This will stop people at the front door before that dont have your key. They get bounced straight away and will never appear in your logs (as there is no  way they can even talk to the SSH server). I used to get the same deal as you with people running password grinders against port 22, but now with P/P keys the level of attempts has dropped to almost nothing.

For more infor read:

http://www.net-security.org/news.php?id=4960

Da Proff
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12153843
> ..  use Public/Private Keys for SSH?? This will stop  ..
no, it does not stop trying people to check for a vulnerable sshd, just the password and/or username guessing
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12167053
I posted a comment at the bottom of this question but i'd say the same applies here
http://www.experts-exchange.com/Security/Linux_Security/Q_21128711.html

the ones trying user and guest are just kidy scan tools nothing to really worry about, make sure your using ssh2 or newer and you have a nice complex password.
if you follow those guide lines you should be ok, but just incase your still worried you could disable remote ssh and pptp to you machine and ssh remotly that way.

hope that helps
cheers
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question