Link to home
Start Free TrialLog in
Avatar of hrolsons
hrolsonsFlag for United States of America

asked on

Stop people from trying to get into my server

Looking at auth.log

Feb 19 12:44:19 216-XX-XXX-147 sshd[54929]: Failed password for root from 125.88.177.93 port 43011 ssh2
Feb 19 12:44:20 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:21 216-XX-XXX-147 sshd[54929]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:44:26 216-XX-XXX-147 sshd[54932]: Failed password for root from 125.88.177.93 port 50263 ssh2
Feb 19 12:44:27 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:28 216-XX-XXX-147 sshd[54932]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:44:32 216-XX-XXX-147 sshd[54934]: Failed password for root from 125.88.177.93 port 63455 ssh2
Feb 19 12:44:32 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:33 216-XX-XXX-147 sshd[54934]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:44:36 216-XX-XXX-147 sshd[54937]: Failed password for root from 125.88.177.93 port 17829 ssh2
Feb 19 12:44:38 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:39 216-XX-XXX-147 sshd[54937]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:44:46 216-XX-XXX-147 sshd[54939]: Failed password for root from 125.88.177.93 port 28645 ssh2
Feb 19 12:44:47 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:48 216-XX-XXX-147 sshd[54939]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:44:53 216-XX-XXX-147 sshd[54943]: Failed password for root from 125.88.177.93 port 46958 ssh2
Feb 19 12:44:54 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:54 216-XX-XXX-147 sshd[54943]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:44:57 216-XX-XXX-147 sshd[54945]: Failed password for root from 125.88.177.93 port 59163 ssh2
Feb 19 12:44:58 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:44:58 216-XX-XXX-147 sshd[54945]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:05 216-XX-XXX-147 sshd[54947]: Failed password for root from 125.88.177.93 port 12718 ssh2
Feb 19 12:45:06 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:08 216-XX-XXX-147 sshd[54947]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:11 216-XX-XXX-147 sshd[55044]: Failed password for root from 125.88.177.93 port 26803 ssh2
Feb 19 12:45:14 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:15 216-XX-XXX-147 sshd[55044]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:18 216-XX-XXX-147 sshd[55169]: Failed password for root from 125.88.177.93 port 43786 ssh2
Feb 19 12:45:20 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:20 216-XX-XXX-147 sshd[55169]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:22 216-XX-XXX-147 sshd[55175]: Failed password for root from 125.88.177.93 port 54895 ssh2
Feb 19 12:45:23 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:24 216-XX-XXX-147 sshd[55175]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:28 216-XX-XXX-147 sshd[55177]: Failed password for root from 125.88.177.93 port 62141 ssh2
Feb 19 12:45:29 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:29 216-XX-XXX-147 sshd[55177]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:36 216-XX-XXX-147 sshd[55179]: Failed password for root from 125.88.177.93 port 17313 ssh2
Feb 19 12:45:37 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:37 216-XX-XXX-147 sshd[55179]: Received disconnect from 125.88.177.93: 11:  [preauth]
Feb 19 12:45:41 216-XX-XXX-147 sshd[55181]: Failed password for root from 125.88.177.93 port 34066 ssh2
Feb 19 12:45:42 216-XX-XXX-147 last message repeated 2 times
Feb 19 12:45:44 216-XX-XXX-147 sshd[55181]: Received disconnect from 125.88.177.93: 11:  [preauth]

Open in new window


How can I stop these attempts at guessing the root password?  I'm running FreeBSD.
Avatar of Steven Carnahan
Steven Carnahan
Flag of United States of America image

Are you running a firewall?  That's where you need to block the address however if what I suspect, based on your log, is true then that address is coming from China and once blocked you may start to see another.
"How can I stop these attempts at guessing the root password?  I'm running FreeBSD."
Disconnect the computer from the Internet.
Change your router's firewall settings to block whatever protocol allows these people to try to log in.
ASKER CERTIFIED SOLUTION
Avatar of Kaffiend
Kaffiend
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hrolsons

ASKER

I'm using Fail2Ban which seems to block the IPs after 3 unsuccessful attempts.

This server, while being dedicated, is not located at my location and I can't get access to the actual server or router.
So long as you have root level access, you can set the rule on the servers firewall so that it only allows incomming requests from ip's that you specify:
iptables -I INPUT -s [YOUR_HOME_IP] -p tcp -m tcp --dport [SSH_PORT] -j ACCEPT

Open in new window

Once you have your allowed ip's you can then add a rule to drop all others:
iptables -I INPUT -p tcp -m tcp --dport [SSH_PORT] -j REJECT

Open in new window

-saige-
@hrolsons:
"This server, while being dedicated, is not located at my location and I can't get access to the actual server or router. "

in this case I'm not sure you could do anything about it anyway. The only was to stop it is to block the originating IP or subnet, or contact the owner of the IP and ask them to cease their efforts. I have done this numerous times in the past few years and had good results, using WhoIs to identify the owner or relevant contact to investigate. You can also contact the ISP owner of that subnet, the ones who sell these IPs, and let them know of this abuse.
 
Below is a 'WhoIs' lookup on the IP. It has info to contact them about this potential breach:

Whois IP 125.88.177.93
Updated 4 days ago  

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '125.88.0.0 - 125.95.255.255'

inetnum:        125.88.0.0 - 125.95.255.255
netname:        CHINANET-GD
descr:          CHINANET Guangdong province network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        CH93-AP
tech-c:         IC83-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-GD
mnt-routes:     MAINT-CHINANET-GD
status:         ALLOCATED PORTABLE
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        To report network abuse, please contact the IRT
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        For assistance, please contact the APNIC Helpdesk
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
source:         APNIC
mnt-irt:        IRT-CHINANET-CN
changed:        email@apnic.net 20050816

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         email@ns.chinanet.cn.net
abuse-mailbox:  email@ns.chinanet.cn.net
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
mnt-by:         MAINT-CHINANET
changed:        email@ns.chinanet.cn.net 20101115
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         email@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        email@cndata.com 20070416
changed:        email@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

person:         IPMASTER CHINANET-GD
nic-hdl:        IC83-AP
e-mail:         email@189.cn
address:        NO.18,RO. ZHONGSHANER,YUEXIU DISTRIC,GUANGZHOU
phone:          +86-20-87189274
fax-no:         +86-20-87189274
country:        CN
changed:        email@189.cn 20110418
changed:        email@gsta.com 20140922
mnt-by:         MAINT-CHINANET-GD
remarks:        IPMASTER is not for spam complaint,please send spam complaint to email@189.cn
abuse-mailbox:  email@189.cn
source:         APNIC
I can't use the IP tables because I think my router changes IP every time it reboots.

I think the SSH signature key is a good idea, it's just been a very long time since I did this.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial