I found someone is trying to hack my linux server through ssh. What should I do?

Posted on 2005-04-16
Last Modified: 2010-05-18
I was looking through some logs and I found that there was thousands of entries shown with

Failed password for invalid user $user from ::ffff:$ip port $port ssh2
a) $user is a different user name each time
b) $port is a different port each time
c) $ip is the IP address the request came from.

I used some string manipulation commands and found there have been 57 different IP's with these failed password entries. Keep in mind that there is only 1 person other than me who knows the ssh password. With a few more commands I got the count for each IP. The highest one is 1071 and the second highest is 169. The user that tried 1071 times to hack my server must really want in. I have that user's IP. What should I do?

I used whois on the first hacker, who tried 1071 times, and found his ISP is based in Germany. The whois output lists the ISP's email address. Should I contact them? Do you think they would do anything? Is there anyway that this is not the real IP? I mean can the hacker make his IP address look like someone elses?

For the time being I have disabled the port redirect through the firewall. Now the server can only be accessed through ssh in the network.

Any ideas how to handle a situation like this?
Question by:itcdr
    LVL 51

    Expert Comment

    > What should I do?
    nothing if you need ssh for your own login
    enshure that you have the newest ssh installed, also check your sshd.config

    > Should I contact them?
    and then?
    can you proove that the IP was not spoofed?

    > Any ideas how to handle a situation like this?
    you mean the login attempts?
    you can do nothing, that's normal noice
    just enshure that your server is up-to-date, or close/reject the ports at you firewall
    LVL 1

    Author Comment

    Do you know any way that I can proove the IP was not spoofed so I can report him to his ISP?

    I did close the ports on the firewall, so we will just use ssh on the intranet.
    LVL 51

    Expert Comment

    the firewall should detect spoofed conections
    LVL 1

    Author Comment

    I have a Linksys RV082 Firewall. Do you know how I can check?
    LVL 2

    Accepted Solution

    This are part of "script-kit" trying to break-in thru a weak SSH passwd, or some worms tyring to expolit the same, the best is to tighten yr SSH security ...I get lot of em almost the other day, this is a secure SSH config file example
    Deny Root Login
          PermitRootLogin  no
    Uncomment the Protocol line and permit only SSH2
          Protocol  2
    Enable Strict Mode, Which will check file modes and ownership of users files and home directory before accepting login
          StrictMode  yes
    Disable PublicKey, Rhosts and Host base authentication
          PubKeyAuthentication  no
          RhostsRSAAuthentication  no
          HostbasedAuthentication  no
    Do not allow login with empty password strings
          PermitEmptyPasswords  no
    Specify Banner life, which will be displayed to users before attempting login
          Banner /etc/issue
    Add the lines in /etc/hosts, to avoid IP-spoofing

    "nospoof on"

    Tighten SSH from TCP Wrappers :
    U can add paramters in tcp.warappers to give u loggin information on attemps made to SSH connection

    LVL 1

    Author Comment

    Thanks for your help.
    LVL 2

    Expert Comment

    Welcome, Thx :-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now