hrolsons
asked on
Stop people from trying to get into my server
Looking at auth.log
How can I stop these attempts at guessing the root password? I'm running FreeBSD.
Feb 19 12:44:19 216-XX-XXX-147 sshd[54929]: Failed password for root from 125.88.177.93 port 43011 ssh2
Feb 19 12:44:20 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:21 216-XX-XXX-147 sshd[54929]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:44:26 216-XX-XXX-147 sshd[54932]: Failed password for root from 125.88.177.93 port 50263 ssh2
Feb 19 12:44:27 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:28 216-XX-XXX-147 sshd[54932]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:44:32 216-XX-XXX-147 sshd[54934]: Failed password for root from 125.88.177.93 port 63455 ssh2
Feb 19 12:44:32 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:33 216-XX-XXX-147 sshd[54934]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:44:36 216-XX-XXX-147 sshd[54937]: Failed password for root from 125.88.177.93 port 17829 ssh2
Feb 19 12:44:38 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:39 216-XX-XXX-147 sshd[54937]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:44:46 216-XX-XXX-147 sshd[54939]: Failed password for root from 125.88.177.93 port 28645 ssh2
Feb 19 12:44:47 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:48 216-XX-XXX-147 sshd[54939]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:44:53 216-XX-XXX-147 sshd[54943]: Failed password for root from 125.88.177.93 port 46958 ssh2
Feb 19 12:44:54 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:54 216-XX-XXX-147 sshd[54943]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:44:57 216-XX-XXX-147 sshd[54945]: Failed password for root from 125.88.177.93 port 59163 ssh2
Feb 19 12:44:58 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:58 216-XX-XXX-147 sshd[54945]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:05 216-XX-XXX-147 sshd[54947]: Failed password for root from 125.88.177.93 port 12718 ssh2
Feb 19 12:45:06 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:08 216-XX-XXX-147 sshd[54947]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:11 216-XX-XXX-147 sshd[55044]: Failed password for root from 125.88.177.93 port 26803 ssh2
Feb 19 12:45:14 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:15 216-XX-XXX-147 sshd[55044]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:18 216-XX-XXX-147 sshd[55169]: Failed password for root from 125.88.177.93 port 43786 ssh2
Feb 19 12:45:20 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:20 216-XX-XXX-147 sshd[55169]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:22 216-XX-XXX-147 sshd[55175]: Failed password for root from 125.88.177.93 port 54895 ssh2
Feb 19 12:45:23 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:24 216-XX-XXX-147 sshd[55175]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:28 216-XX-XXX-147 sshd[55177]: Failed password for root from 125.88.177.93 port 62141 ssh2
Feb 19 12:45:29 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:29 216-XX-XXX-147 sshd[55177]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:36 216-XX-XXX-147 sshd[55179]: Failed password for root from 125.88.177.93 port 17313 ssh2
Feb 19 12:45:37 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:37 216-XX-XXX-147 sshd[55179]: Received disconnect from 125.88.177.93: 11: [preauth]
Feb 19 12:45:41 216-XX-XXX-147 sshd[55181]: Failed password for root from 125.88.177.93 port 34066 ssh2
Feb 19 12:45:42 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:44 216-XX-XXX-147 sshd[55181]: Received disconnect from 125.88.177.93: 11: [preauth]
How can I stop these attempts at guessing the root password? I'm running FreeBSD.
Are you running a firewall? That's where you need to block the address however if what I suspect, based on your log, is true then that address is coming from China and once blocked you may start to see another.
"How can I stop these attempts at guessing the root password? I'm running FreeBSD."
Disconnect the computer from the Internet.
Change your router's firewall settings to block whatever protocol allows these people to try to log in.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm using Fail2Ban which seems to block the IPs after 3 unsuccessful attempts.
This server, while being dedicated, is not located at my location and I can't get access to the actual server or router.
This server, while being dedicated, is not located at my location and I can't get access to the actual server or router.
So long as you have root level access, you can set the rule on the servers firewall so that it only allows incomming requests from ip's that you specify:
iptables -I INPUT -s [YOUR_HOME_IP] -p tcp -m tcp --dport [SSH_PORT] -j ACCEPT
Once you have your allowed ip's you can then add a rule to drop all others:
iptables -I INPUT -p tcp -m tcp --dport [SSH_PORT] -j REJECT
-saige-
@hrolsons:
"This server, while being dedicated, is not located at my location and I can't get access to the actual server or router. "
in this case I'm not sure you could do anything about it anyway. The only was to stop it is to block the originating IP or subnet, or contact the owner of the IP and ask them to cease their efforts. I have done this numerous times in the past few years and had good results, using WhoIs to identify the owner or relevant contact to investigate. You can also contact the ISP owner of that subnet, the ones who sell these IPs, and let them know of this abuse.
Below is a 'WhoIs' lookup on the IP. It has info to contact them about this potential breach:
Whois IP 125.88.177.93
Updated 4 days ago
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '125.88.0.0 - 125.95.255.255'
inetnum: 125.88.0.0 - 125.95.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++- +-+-+-+-+- +-+-+-+-+- +-+-+-+-+
remarks: To report network abuse, please contact the IRT
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: For assistance, please contact the APNIC Helpdesk
remarks: -+-+-+-+-+-+-+-+-+-+-+-++- +-+-+-+-+- +-+-+-+-+- +-+-+-+-+
source: APNIC
mnt-irt: IRT-CHINANET-CN
changed: email@apnic.net 20050816
irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: email@ns.chinanet.cn.net
abuse-mailbox: email@ns.chinanet.cn.net
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
mnt-by: MAINT-CHINANET
changed: email@ns.chinanet.cn.net 20101115
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: email@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: email@cndata.com 20070416
changed: email@gsta.com 20140227
mnt-by: MAINT-CHINANET
source: APNIC
person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: email@189.cn
address: NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU
phone: +86-20-87189274
fax-no: +86-20-87189274
country: CN
changed: email@189.cn 20110418
changed: email@gsta.com 20140922
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam complaint to email@189.cn
abuse-mailbox: email@189.cn
source: APNIC
"This server, while being dedicated, is not located at my location and I can't get access to the actual server or router. "
in this case I'm not sure you could do anything about it anyway. The only was to stop it is to block the originating IP or subnet, or contact the owner of the IP and ask them to cease their efforts. I have done this numerous times in the past few years and had good results, using WhoIs to identify the owner or relevant contact to investigate. You can also contact the ISP owner of that subnet, the ones who sell these IPs, and let them know of this abuse.
Below is a 'WhoIs' lookup on the IP. It has info to contact them about this potential breach:
Whois IP 125.88.177.93
Updated 4 days ago
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '125.88.0.0 - 125.95.255.255'
inetnum: 125.88.0.0 - 125.95.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-
remarks: To report network abuse, please contact the IRT
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: For assistance, please contact the APNIC Helpdesk
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-
source: APNIC
mnt-irt: IRT-CHINANET-CN
changed: email@apnic.net 20050816
irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: email@ns.chinanet.cn.net
abuse-mailbox: email@ns.chinanet.cn.net
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
mnt-by: MAINT-CHINANET
changed: email@ns.chinanet.cn.net 20101115
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: email@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: email@cndata.com 20070416
changed: email@gsta.com 20140227
mnt-by: MAINT-CHINANET
source: APNIC
person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: email@189.cn
address: NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU
phone: +86-20-87189274
fax-no: +86-20-87189274
country: CN
changed: email@189.cn 20110418
changed: email@gsta.com 20140922
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam complaint to email@189.cn
abuse-mailbox: email@189.cn
source: APNIC
ASKER
I can't use the IP tables because I think my router changes IP every time it reboots.
I think the SSH signature key is a good idea, it's just been a very long time since I did this.
I think the SSH signature key is a good idea, it's just been a very long time since I did this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.