Here is log file from last night!!! What shold I do now???
Shold I contact they ISP some how? or what??? I'm not happy with this at all.

root/password from 12.19.98.21: 2166 Time(s)
This is from last night September 4 2004

--------------------- SSHD Begin ------------------------


Failed logins from these:
admin/password from 12.19.98.21: 29 Time(s)
guest/password from 12.19.98.21: 15 Time(s)
root/password from 12.19.98.21: 2166 Time(s)
test/password from 12.19.98.21: 72 Time(s)
user/password from 12.19.98.21: 14 Time(s)

Users logging in through sshd:
demo logged in from 24-161-120-103.hvc.rr.com (24.161.120.103) using password: 1 Time(s)
root logged in from 24-161-120-103.hvc.rr.com (24.161.120.103) using password: 1 Time(s)

Scanned from these:
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)
100.67-19-68.reverse.theplanet.com (67.19.68.100)

**Unmatched Entries**
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user guest from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user admin from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user user from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21
Illegal user test from 12.19.98.21

---------------------- SSHD End -------------------------

i am also facing the same problem.. I am looking the solutions too. ANybd can give an idea?

I just called a datacenetr Do you have from the same IP???
And I find a host name so I called to the host name, domain name owners. And there is Pople from china and they just hang up on me =(

Originally posted by 0218
i am also facing the same problem.. I am looking the solutions too. ANybd can give an idea?

BFD is your friend..

http://www.rfxnetworks.com/bfd.php

Also try changing your SSH port. That inhibits 80% of most automated scripts or worms at least.

They are just trying to brute force your box it looks like, no biggie as it happeneds all the time, report their ip to their provider

i have install APF, so APF can help me? how to do?

I have a quastion how to block IP if they tringt ot login more then 15 times and faild

APF is juset a firewall. You need BFD to work hand in hand with it to proactively ban IPs that tries to bruteforce your system:

http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

If you have APF, block the IP already.

apf -d 12.19.98.21

then change your SSH port and install BFD so you won't have to do this manually ;)

That ip seems to be getting around. It use to show up all the time in the logs of different servers I manage.

I think you should contact your ISP about it or/and Daniel Industries.


DANIEL INDUSTRIES, INC. 12.19.96.0 - 12.19.99.255
UNITED STATES

I did this I call them up early in the morning and they hang up on me. (713) 827-3343 , (713) 827-3373. Also email them no responce. tony.lupold@EMERSONPROCESS.COM, raj.sarangam@EMERSONPROCESS.COM. I'm thinking now to contact AT&T about this becouse looks like they dont give a F@#$ about this.

not much they can really do about out of the country attempts. it's not even worth their time really unless they do something severe, so take advice of previous posts about bfd etc.

kosta

i am also facing this problem, i do intsall APF, but how to change my ssh port?
after i change the ssh port, do i need configure my any software again? i mean apf, logwatch, chkrookit etc....

Originally posted by 0218
i am also facing this problem, i do intsall APF, but how to change my ssh port?
after i change the ssh port, do i need configure my any software again? i mean apf, logwatch, chkrookit etc....

Yes you'll have to change apf config a little bit. Tell it to close port 22 and open the new ssh port that should be it. Better yet if you have a static ip just deny all access to port 22 and only open it up to you. Something else you can do is use a port knocker. I also saw this wonderful guy start tring it with ftp now too. yay.

Cheers,
William

Hi
you must:
1)deny remote login root
2)update ssh - in new release it's problem fixed!

ok but if i going do ney a remote login how I will be able to login from home to my server???

You would use SSH key only login. This way no one could login as root unless they had an authorized ssh key file. It also makes it a lot easier since you don't have to type in your root every time you login :)

hm
ok wold you help me with this contact me VIA some of this
AIM: ********
ICQ: 50000080
MSN: support@********.com
Yahoo: eoneserver

Originally posted by 0218
i am also facing this problem, i do intsall APF, but how to change my ssh port?
after i change the ssh port, do i need configure my any software again? i mean apf, logwatch, chkrookit etc....

Go to shell

Edit /etc/ssh/sshd_config

Uncomment the Port 22 line ie. remove the # in front

Change it to any port you want.

Make sure your firewall allows the new port you are using, else you will lock yourself out. Then do

/etc/init.d/sshd restart

You are done. You do not need to configure other software other than APF to allow the new port.

Originally posted by ALLiNET
ok but if i going do ney a remote login how I will be able to login from home to my server???

If you wnat to use keys, goto: http://www.puddingonline.com/~dave/publications/SSH-with-Keys-HOWTO/document/html-one-page/SSH-with-Keys-HOWTO.html

alternatively, read my step by step one post before this. Instead of uncommenting the Port line, uncomment the line

# PermitRootLogin Yes

Then change the yes to no.

Save

You need to have an admin user that's allowed to su to root. i.e. you will first login on another user before logging to root. I will explain what to do at the end. But let's contine....

You first need to add a user you want to use as admin. In my example, I will use alinet as the username. So do:

useradd alinet

passwd alinet

You would be asked for your passwords. Enter it twice.

Edit groups:

pico /etc/group

Look for the line with wheel

Add ,alinet to the end.

Save.

Now restart SSH

/etc/init.d/sshd restart

You are done. You now need to login using alinet (and the password you selected earlier) . Once in, do

su -

and enter your root password.

ok I will try first on my ome computer if it works I will do this on a server.

It works. I do it on all the time.

remember to temporily enable ftp root login while changing ssh port, for insurance, and make sure your ftp server does not chroot you to /root, for double insurance

and do not hope sftp willl work while your logged out from ssh

Run - don't walk to http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

You need to get Brute Force Detection installed. Then you can work at other alteratives.

You can change the port used for SSH. While not a full-proof prevention, it will drastically reduce the attempts.

If you don't allow SSH to customers, you can restrict SSH access from only some IPs. This is probably the best method.

Also, make sure any passwords are long and complicated.

As an added security precaution you also might want to look into port knocking.





Originally posted by sprintserve
If you wnat to use keys, goto: http://www.puddingonline.com/~dave/publications/SSH-with-Keys-HOWTO/document/html-one-page/SSH-with-Keys-HOWTO.html

alternatively, read my step by step one post before this. Instead of uncommenting the Port line, uncomment the line

# PermitRootLogin Yes

Then change the yes to no.

Save

You need to have an admin user that's allowed to su to root. i.e. you will first login on another user before logging to root. I will explain what to do at the end. But let's contine....

You first need to add a user you want to use as admin. In my example, I will use alinet as the username. So do:

useradd alinet

passwd alinet

You would be asked for your passwords. Enter it twice.

Edit groups:

pico /etc/group

Look for the line with wheel

Add ,alinet to the end.

Save.

Now restart SSH

/etc/init.d/sshd restart

You are done. You now need to login using alinet (and the password you selected earlier) . Once in, do

su -

and enter your root password.