Hi,

i have noticed that the brute force warnings that i receive all have the same exact entries. for example:
- Log events from /var/log/secure:
Aug 29 06:39:25 gobo sshd[16388]: Illegal user test from 67.154.250.243
Aug 29 06:39:28 gobo sshd[16388]: Failed password for illegal user test from 67.154.250.243 port 60101 ssh2
Aug 29 06:39:29 gobo sshd[16390]: Illegal user guest from 67.154.250.243
Aug 29 06:39:32 gobo sshd[16390]: Failed password for illegal user guest from 67.154.250.243 port 60181 ssh2
Aug 29 06:39:33 gobo sshd[16392]: Illegal user admin from 67.154.250.243
Aug 29 06:39:35 gobo sshd[16392]: Failed password for illegal user admin from 67.154.250.243 port 60273 ssh2
Aug 29 06:39:37 gobo sshd[16394]: Illegal user admin from 67.154.250.243
Aug 29 06:39:39 gobo sshd[16394]: Failed password for illegal user admin from 67.154.250.243 port 60374 ssh2
Aug 29 06:39:42 gobo sshd[16396]: Illegal user user from 67.154.250.243
Aug 29 06:39:45 gobo sshd[16396]: Failed password for illegal user user from 67.154.250.243 port 60477 ssh2
Aug 29 06:39:48 gobo sshd[16398]: Failed password for root from 67.154.250.243 port 60575 ssh2
Aug 29 06:39:54 gobo sshd[16400]: Failed password for root from 67.154.250.243 port 60657 ssh2
Aug 29 06:39:57 gobo sshd[16402]: Failed password for root from 67.154.250.243 port 60768 ssh2
Aug 29 06:39:58 gobo sshd[16404]: Illegal user test from 67.154.250.243
Aug 29 06:40:01 gobo sshd[16404]: Failed password for illegal user test from 67.154.250.243 port 60867 ssh2
----

- Log events from /var/log/secure:
Aug 29 14:26:20 gobo sshd[16572]: Illegal user test from 210.101.248.112
Aug 29 14:26:22 gobo sshd[16572]: Failed password for illegal user test from 210.101.248.112 port 40545 ssh2
Aug 29 14:26:24 gobo sshd[16578]: Illegal user guest from 210.101.248.112
Aug 29 14:26:26 gobo sshd[16578]: Failed password for illegal user guest from 210.101.248.112 port 40663 ssh2
Aug 29 14:26:28 gobo sshd[16580]: Illegal user admin from 210.101.248.112
Aug 29 14:26:30 gobo sshd[16580]: Failed password for illegal user admin from 210.101.248.112 port 40786 ssh2
Aug 29 14:26:32 gobo sshd[16582]: Illegal user admin from 210.101.248.112
Aug 29 14:26:34 gobo sshd[16582]: Failed password for illegal user admin from 210.101.248.112 port 40889 ssh2
Aug 29 14:26:36 gobo sshd[16584]: Illegal user user from 210.101.248.112
Aug 29 14:26:38 gobo sshd[16584]: Failed password for illegal user user from 210.101.248.112 port 40993 ssh2
Aug 29 14:26:42 gobo sshd[16586]: Failed password for root from 210.101.248.112 port 41095 ssh2
Aug 29 14:26:46 gobo sshd[16588]: Failed password for root from 210.101.248.112 port 41195 ssh2
Aug 29 14:26:50 gobo sshd[16590]: Failed password for root from 210.101.248.112 port 41294 ssh2
Aug 29 14:26:52 gobo sshd[16592]: Illegal user test from 210.101.248.112
Aug 29 14:26:54 gobo sshd[16592]: Failed password for illegal user test from 210.101.248.112 port 41397 ssh2
----


and there are many more aswell. why is this happening? (not the attacks, the actual entries.)

J

I would think that it's quite obvious as to why it is logging the entries. It's to let you know that someone is attempting to log into your server through SSH, but failing to do so. I would recommend installing APF + BFD, and then changing the port that SSH is on.

Originally posted by inogenius
I would recommend installing APF + BFD, and then changing the port that SSH is on.

Dangerous issue. Thanks any way.

Changing your ssh port doesn't do much. Port scans will reveal what ports are open.

Originally posted by ChrisTech
Changing your ssh port doesn't do much. Port scans will reveal what ports are open.
All that he's seeing is a infected box that's doing random scanning on port 22 across thousands of IP's. It's not as if he's not a direct target. Obviously of he were a direct target you'd see many more entries, with various usernames. Changing the port that SSH is on will stop those random login attempts from the infected boxes.

Dangerous issue. Thanks any way.
I don't understand what you're saying. Dangerous issue?

Thanks everyone.

My original question(and sorry if this didnt come out:)), was why is there such repedidativness (sp??). It is the same usernames over and over again, in the same order.

also, can i change the port in whm?

thanks
J

The most common login to Linux based machines is either 'root' or 'admin'. The brute force program keeps trying to guess your password using the 'root' and/or 'admin' username.

As several people suggested here, install APF and BFD, change your SSH port (You can't do it in WHM, only in shell under /etc/ssh/sshd_config), and disable direct login for the root user.

We have had the same thing happen to us. We added BFD+APF and monitor the servers closely for tampering.

Before I changed the port SSH was on, I was getting up to several IPs daily trying to knack into my server. Since I installed it, there hasn't been a single such report - OTOH Logwatch now gives me every day a list of IPs who got a "couldn't connect" error. To this kind of attempts, my server looks as if SSH wouldn't be enabled, i.e. it is and additional layer of security.

Greetings:

This has been going on for a while.

Read the following:
http://isc.sans.org/diary.php?date=2004-07-23
http://isc.sans.org/diary.php?date=2004-07-28
http://isc.sans.org/diary.php?date=2004-08-29

Thank you.

Saw this thread also:

http://www.webhostingtalk.com/showthread.php?s=&threadid=315272

might be what you're experiencing.

I would be very careful installing BFD, especially with the rules you set. We had this running, but in the end disabled it, as we were getting quite a few clients blocked from their sites when they typed their password incorrect a few times. BFD is not necessary if you have good passwords (at least 8 characters, numbers and letters, non dictionary, and non-default).

Originally posted by crucialparad
I would be very careful installing BFD, especially with the rules you set. We had this running, but in the end disabled it, as we were getting quite a few clients blocked from their sites when they typed their password incorrect a few times. BFD is not necessary if you have good passwords (at least 8 characters, numbers and letters, non dictionary, and non-default).

You're able to change the default rules that BFD is under by going to /usr/local/bfd/rules and then individually editing each file. You would just change the "trig" variable to something more appropriate for a shared hosting enviroment. I admittingly, have left the configuration the same and have had a total of one user get locked out.

Moved to the Technical & Security Fourm. Using APF, BFD, and an alternate SSH port has worked well for me.

can someone explain what APF and BFD are?

thanks
josh

Originally posted by Nygaff
can someone explain what APF and BFD are?

thanks
josh

APF = Advanced Policy Firewall
BFD = Brute Force Detection

How do you change the SSH port on a server?

Originally posted by xeogaming
How do you change the SSH port on a server?
Here's how you do it on a cpanel server;

First login to SSH.
cd /etc/ssh/
pico sshd_config
Add the line, Port xxxx (Whichever port number you want)
/etc/init.d/ssh restart
Exit SSH and make sure you can login using the new port.
Once you've made sure that you can login on the new port, you can remove the line that says Port 22

The good idea - login to ssh without password, by key :)