0

While Checking the /var/log/secure on my centos server have found lot of attempts of failed login by using unknown usernames, from a list of ip from Japan And China

How to hide my server from these smart guys or tools ;-)

Here is the snippet of log

    Aug 27 12:07:06 EEHB-VM1 sshd[1191]: subsystem request for sftp
Aug 27 12:08:09 EEHB-VM1 sshd[1191]: pam_unix(sshd:session): session closed for user root
Aug 27 12:24:03 EEHB-VM1 sshd[1375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remember-template.com.tw  user=root
Aug 27 12:24:04 EEHB-VM1 sshd[1377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remember-template.com.tw  user=root
Aug 27 12:24:06 EEHB-VM1 sshd[1377]: Failed password for root from 106.186.113.82 port 7176 ssh2
Aug 27 12:24:07 EEHB-VM1 sshd[1378]: Connection closed by 106.186.113.82
Aug 27 12:24:07 EEHB-VM1 sshd[1375]: Failed password for root from 106.186.113.82 port 7176 ssh2
Aug 27 12:24:07 EEHB-VM1 sshd[1376]: Connection closed by 106.186.113.82
Aug 27 12:49:31 EEHB-VM1 sshd[1883]: Invalid user fluffy from 106.186.113.82
Aug 27 12:49:31 EEHB-VM1 sshd[1884]: input_userauth_request: invalid user fluffy
Aug 27 12:49:31 EEHB-VM1 sshd[1883]: pam_unix(sshd:auth): check pass; user unknown
Aug 27 12:49:31 EEHB-VM1 sshd[1883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remember-template.com.tw 
Aug 27 12:49:31 EEHB-VM1 sshd[1883]: pam_succeed_if(sshd:auth): error retrieving information about user fluffy
Aug 27 12:49:31 EEHB-VM1 sshd[1885]: Invalid user fluffy from 106.186.113.82
Aug 27 12:49:31 EEHB-VM1 sshd[1886]: input_userauth_request: invalid user fluffy
Aug 27 12:49:31 EEHB-VM1 sshd[1885]: pam_unix(sshd:auth): check pass; user unknown
Aug 27 12:49:31 EEHB-VM1 sshd[1885]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remember-template.com.tw 
Aug 27 12:49:31 EEHB-VM1 sshd[1885]: pam_succeed_if(sshd:auth): error retrieving information about user fluffy
Aug 27 12:49:33 EEHB-VM1 sshd[1883]: Failed password for invalid user fluffy from 106.186.113.82 port 53242 ssh2
Aug 27 12:49:33 EEHB-VM1 sshd[1884]: Connection closed by 106.186.113.82
Aug 27 12:49:34 EEHB-VM1 sshd[1885]: Failed password for invalid user fluffy from 106.186.113.82 port 45149 ssh2
Aug 27 12:49:34 EEHB-VM1 sshd[1886]: Connection closed by 106.186.113.82

This behaviour is very frequent and being repeated within short span of time.

I suspect this as some fraudulent access attempt, and would like to know how should i deal with them.

Interestingly : how did they came to know the ip address even when the website isn't even live and have disallowed robots too.

EDIT 1: May be i can select these ip address and restrict them from firewall. But Is there a way i dont even let them try this mischievous attempt rather going to access logs daily and adding couple of other rules in firewall ?

P.S. : Appreciate if someone can give me a sample iptable rule snippet for now to deal with bunch of these IPs ;-)

echoashu
  • 115
  • 1
  • 7

1 Answers1

1

For clarity, these are SSH attacks, not FTP. Any server with a public IP will experience these - bots sweep the entirety of the IPv4 address range at all times (brute forcing SSH/FTP, looking for unpatched WordPress installs, etc.). As long as you're using good security practices (key-based auth, strong passwords) it's just noise, but folks often use something like fail2ban to automatically block the attempts after a few auth failures.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105