ok, i have been checking my server logs and i appear to be getting alot of failed attempts at logging into various users through SSH.

account/password from 61.221.79.115: 5 Time(s)
adam/password from 61.221.79.115: 5 Time(s)
adm/password from 61.221.79.115: 10 Time(s)
admin/password from 194.8.222.42: 10 Time(s)
alan/password from 61.221.79.115: 5 Time(s)
apache/password from 61.221.79.115: 5 Time(s)
backup/password from 61.221.79.115: 5 Time(s)
cip51/password from 61.221.79.115: 5 Time(s)

This is just an example there are alot more

Am i missing something?

theres alot more from this same ip address... with many different username including john and pamela

Such attacks are common, just use your iptables block the IP and send the log to their ISP.

ok, ive sent the logs off to the ip,

im using the APF software firewall, how do i tell it to block the ip address?

Install BFD (from the same people who make APF, I'd link if WHT would let me...)

It works well with APF.

There's no need to worry about people trying to login like this if you've got strong passwords.

And it's not worth reporting it unless they try hundreds of times or do any form of serious damage.

kk, thanks for all your advice... BFD is installed and the ip addys are blocked

run ssh on a different port and on a certain IP, a lot of brute forces just scan Ip ranges for ssh default port.

I have changed ssh port and ssh binding ip and we have only had 1 brute force attack.

Check your /etc/apf/deny_hosts.rules file those IPs [which are attempting to get into your server] will be listed, if not add those. Also those IPs must from South Asia [Chinese Origin]. Do not worry this is common.

I have a dev box up at FDCServers that is not even live, just used for testing out random fun things, it recieves about 30 attempts a day.

Does BFD only work with APF or can it be used by itself or with other firewalls (eg shorewall)??

Originally posted by WipeOut
Does BFD only work with APF or can it be used by itself or with other firewalls (eg shorewall)??

Never Tried it but u better use it with APF else it can cause compatability Problems. It won't even work :P

Along the same lines...

Does anyone know what the difference is between "Failed logins..." and "Illegal users..." in SSHD log (see below)?

The thing that makes me wonder is illegal users... Failed logins is pretty self-explanatory.

--------------------- SSHD Begin ------------------------
Failed logins from these:
... few entries ...
Illegal users from these:
... few entries ...
---------------------- SSHD End ------------------------



Thanks,
Lamp

Failed logins means that a user exists on the System but the password entered was wrong & the login failed.

Illegal user means that no user by this name exists on the Server.

Originally posted by Tamranda_Ankit
Failed logins means that a user exists on the System but the password entered was wrong & the login failed.

Illegal user means that no user by this name exists on the Server.

That's what I thought... but how do you explain this result then:

Failed logins from these:
admin/password from 220.130.227.160: 4 Time(s)
guest/password from 220.130.227.160: 2 Time(s)
root/password from 220.130.227.160: 6 Time(s)
test/password from 220.130.227.160: 4 Time(s)
user/password from 220.130.227.160: 2 Time(s)

Illegal users from these:
admin/none from 220.130.227.160: 4 Time(s)
admin/password from 220.130.227.160: 4 Time(s)
guest/none from 220.130.227.160: 2 Time(s)
guest/password from 220.130.227.160: 2 Time(s)
test/none from 220.130.227.160: 4 Time(s)
test/password from 220.130.227.160: 4 Time(s)
user/none from 220.130.227.160: 2 Time(s)
user/password from 220.130.227.160: 2 Time(s)
.160: 2 Time(s)



Lamp

I'd guess the person was putting "admin/none" as the username.

Originally posted by vidahost
I'd guess the person was putting "admin/none" as the username.

Plausible.... didn't think about that one.:D

Hillarious.

Lamp