0

Possible Duplicate:
Hundreds of failed ssh logins

Recently I have been spending more time on my production servers in efforts to puppetize several configs and I happened to issue a find /var/log -mmin1 and it returned the /var/log/secure file (among others). Being curious as to recent activity being logged to this specific file, I started tailing it and several of these entries were being logged:

Jan  9 22:15:59 myhost sshd[22916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.213.48.82  user=apache
Jan  9 22:16:01 myhost sshd[22916]: Failed password for apache from 58.213.48.82 port 36464 ssh2
Jan  9 22:16:01 myhost sshd[22917]: Received disconnect from 58.213.48.82: 11: Bye Bye
Jan  9 22:16:03 myhost unix_chkpwd[22922]: password check failed for user (apache)
Jan  9 22:16:03 myhost sshd[22919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.213.48.82  user=apache
Jan  9 22:16:04 myhost sshd[22919]: Failed password for apache from 58.213.48.82 port 37392 ssh2
Jan  9 22:16:05 myhost sshd[22920]: Received disconnect from 58.213.48.82: 11: Bye Bye
Jan  9 22:16:06 myhost unix_chkpwd[22925]: password check failed for user (apache)
Jan  9 22:16:06 myhost sshd[22923]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.213.48.82  user=apache
Jan  9 22:16:08 myhost sshd[22923]: Failed password for apache from 58.213.48.82 port 38244 ssh2
Jan  9 22:16:08 myhost sshd[22924]: Received disconnect from 58.213.48.82: 11: Bye Bye

Not too friendly looking, but I did notice that the requests were coming from the save IP address destined for varying local ports. So I did a whois 58.213.48.82, and it returned this:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-4]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        58.208.0.0 - 58.223.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
....

This, again doesn't look friendly. So is this what a potential attack looks like? And how should I handle it? Setup an entry in IPTables to block any requests from the given IP?

Community
  • 1
Mike Purcell
  • 1,688
  • 7
  • 30
  • 53

2 Answers2

1

It is probably just 'normal' Internet noise from some bot/worm somewhere.

See Hundreds of failed ssh logins

Adding a rule to block just that IP would be a complete waste of your time. Tomorrow there will be a different IP. Either block all traffic, except the good stuff, or setup an IPS/IDS style program that automatically blocks things.

Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413
1

This is normal. I was getting lots of these several times a day from all over the world.

It's good practice to prevent these login attempts.

3 possible methods.

  1. Set up firewall rule to block everyone to the ssh port 22 except known good IP's.

  2. Install and configure a tool like fail2ban. This will automatically block repeat login failures via a firewall rule. It'll unblock again after some timeout (in case you lock yourself out!)

  3. Both 1 & 2.

Of the first 2 methods, method 1 is the most secure. But, not always appropriate. For example, you may be running sftp and you have users you want to access it but not sure of their IP range. So 2 on it's own may be appropriate. However, installing both is the most secure setup.

Here's who fail2ban has blocked on my server recently:

DROP       all  --  124.202.129.123      anywhere            
DROP       all  --  183.61.135.236       anywhere            
DROP       all  --  mailhost.best.server.h2omedia.de  anywhere            
DROP       all  --  ip223.hichina.com    anywhere            
DROP       all  --  124.202.129.124      anywhere            
DROP       all  --  59.46.172.67         anywhere            
DROP       all  --  198.15.109.254       anywhere            
DROP       all  --  61.183.35.3          anywhere            
DROP       all  --  122.225.107.98       anywhere            
DROP       all  --  61.142.106.34        anywhere            
DROP       all  --  customer-201-96-126-213.uninet-ide.com.mx  anywhere            
DROP       all  --  122.155.222.4        anywhere            
DROP       all  --  114.80.116.124       anywhere            
DROP       all  --  202.153.46.18        anywhere            
DROP       all  --  cncln.online.ln.cn   anywhere            
DROP       all  --  222.28.155.2         anywhere            
DROP       all  --  ns.km22643.keymachine.de  anywhere            
DROP       all  --  111.74.82.33         anywhere            
DROP       all  --  119.188.3.56         anywhere            
DROP       all  --  60.174.198.14        anywhere            
DROP       all  --  123.127.160.102      anywhere            
DROP       all  --  202.29.16.59         anywhere            
DROP       all  --  wsc.jalamobile.net   anywhere            
DROP       all  --  58.248.62.48         anywhere            
DROP       all  --  211.161.45.136       anywhere            
DROP       all  --  153.128.19.93        anywhere            
DROP       all  --  50.22.249.204-static.reverse.softlayer.com  anywhere            
DROP       all  --  58.252.68.177        anywhere            
DROP       all  --  fire.deltax.com.br   anywhere            
DROP       all  --  117.79.80.242        anywhere            
DROP       all  --  202.202.232.202      anywhere            
RETURN     all  --  anywhere             anywhere
hookenz
  • 14,132
  • 22
  • 86
  • 142