Brute force attacks over SSH port
On one of my searches on Google zaf’s blog came up again, this time he was complaining from SSH attacks. I looked in my /var/auth.log and I find this:
Aug 21 13:56:17 local sshd[7744]: Failed password for root from 202.171.152.211 port 42343 ssh2 Aug 21 13:56:19 local sshd[7752]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:21 local sshd[7752]: Failed password for root from 202.171.152.211 port 43304 ssh2 Aug 21 13:56:26 local sshd[7768]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:28 local sshd[7768]: Failed password for root from 202.171.152.211 port 44577 ssh2 Aug 21 13:56:30 local sshd[7770]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:31 local sshd[7770]: Failed password for root from 202.171.152.211 port 46364 ssh2 Aug 21 13:56:33 local sshd[7776]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:36 local sshd[7776]: Failed password for root from 202.171.152.211 port 47340 ssh2 Aug 21 13:56:38 local sshd[7782]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:40 local sshd[7782]: Failed password for root from 202.171.152.211 port 48644 ssh2 Aug 21 13:56:42 local sshd[7790]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:44 local sshd[7790]: Failed password for root from 202.171.152.211 port 49725 ssh2 Aug 21 13:56:46 local sshd[7800]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.171.152.211.static.zoot.jp user=root Aug 21 13:56:47 local sshd[7800]: Failed password for root from 202.171.152.211 port 50548 ssh2
By just putting the IP on Google, I found that this guy is very famous. And it repeats twice or three times a day from another Korean IP. After searching the net the most promising and easiest to install solution was denyhosts . It looks in the /var/auth.log and applies rules to filter the IPs which are attacking your machine. It then adds them to /etc/hosts.deny . A nice feature is a shared xml/rpc service where every host running deyhosts can share the IPs trying to attack his/her machine. Also, download the latest black list .
Installation was practically trouble free. I used synaptic to add the package, edited /etc/denyhosts.conf and enabled the SYNC parameters to share the IPs of attackers. After enabling the SYNC, my hosts.deny was filled by more than 1400 IP addresses ! Amazing how much time those people have to annoy us, instead of focusing on building something useful.
A quick not - I noticed that the attackers recognize services running on standard port numbers. So they assume that FTP is on port 21, and SSH is on port 22. A very simple countermeasure is to run the services on non-standard ports - this would at least thwart almost 99% of those attacks.
Technorati Tags: brute, force, auth, log, var, ssh, deny, hosts, denyhosts, port, 21, 22, ftp
