2

Possible Duplicate:
Invalid users trying to log in to my server

I have a small ssh server mostly used for file sharing. A couple of other people and I use it and there are only 3 users. Recently I checked the auth.log file and there was a ridiculous amount of logins from a set of hosts with different usernames. I think I'm being hacked by something like hydra and I'm not sure what to do. I put a slice of the log file on pastebin: http://pastebin.com/Hgazhabu

I took some info out of the file for securities sake but everything you need to see is there. None of these usernames ring a bell nor does the ip.

smithy545
  • 121
  • 3
  • Welcome to our site! Hopefully the answers in the duplicate question I linked are helpful to you. We see this a lot, but since people ask the question in various different ways, it can sometimes be hard to find the right answer in the haystack. – Jeff Ferland Dec 12 '12 at 03:34

4 Answers4

1

I don't think your server is being attacked very effectively, if it's the usual "guess root account password" moronic attack. That attack just won't work if you have sshd configured at all securely (with PermitRootLogin no).

If you're comfortable with C-language coding, you can make a "tarpit" out of sshd by following these instructions. The last time I did that, I set up my SSH server to delay for 7 seconds on an incorrect password. I didn't do exactly as the instructions said, but it was pretty close. Anyway, on a bad password, sshd sleeps for some seconds, which really puts a dent in the cycles those password guessers can sap, as they send requests sequentially, and single-threaded.

If we all set up our SSH servers this way, SSH password guessing will go the way of the dinosaur.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26
1

Welcome to the Internet. There are hundreds and thousands of hosts probing for SSH servers and attempting to brute force them daily. You are no different. There are a few things you can do to protect yourself.

First, turn off password-based logins if at all possible. Using only public-key authentication will completely stop password brute-forcing. If you must use password-based authentication, then make sure you have no default accounts/passwords, disable root login, and enforce password complexity with something like passwdqc or pam_cracklib.

Second, use fail2ban to monitor bad logins and temporarily ban offenders. Temporary bans are better than permanent, since you may accidentally lock yourself out, and permanent bans will clutter up your firewall rules.

bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
0

It does look like it. With the quantity , timing and all the usernames being generic defaults. If they are all coming from the same ip, like it appears in the bit of logs on pastebin, you could just block that ip.

karmet
  • 1
  • 1
0

I just came to know there is a package that serves this purpose: http://www.fail2ban.org/wiki/index.php/Main_Page

Note that this is not 'Live'. It looks at the log files and then blocks that particular IP. In your case, this would work.

sudhacker
  • 4,260
  • 5
  • 23
  • 34