Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : brute force UDP attack on SSH port. . possible/why?

[antony7777]

Hi, my server is being brute force attacked at port 22.. It caused my server to be blocked by my ISP's upstream...

at first I follow the instruction on this forum showthread.php?t=456571 (can't post link)

but then I realized (from the upstream email, I don't have access to any log on their side) that it was UDP.. not TCP.. but it was said to be brute force attack on SSH port.

Now all I do is moved ssh port.. and then limit the max connection per minute to port 22/UDP like on the above tutorial page..

Is that enough? I can't use IPTables to permit specific IPs, I'm pretty much very mobile so my own IP is different each time.

Any ideas why UDP attack?
Is it possible that brute force attack turned out to be UDP protocol? cause if it's not, then I think my ISP/its upstream can't be trusted..

Thanks for any info..
PS. sorry for bad english.. and no smilies..

[david510]

You can get the upd connection details to your server with the following command.

netstat -plan | grep udp

you can install firewall program APF and block the upd ports in the APF conf as follows, allowing port 53 for named, that use udp protocol.

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

[CretaForce]

UDP is used for dns, not for a ssh2 brute force attack which uses TCP connections. Why your upstream disconnect your server if it's attacked? Every linux/unix server connected to internet is attacked with ssh2 brute force attacks.

[antony7777]

Quote:

Originally Posted by CretaForce

UDP is used for dns, not for a ssh2 brute force attack which uses TCP connections. Why your upstream disconnect your server if it's attacked? Every linux/unix server connected to internet is attacked with ssh2 brute force attacks.

They said that the attack flooded their network. But I don't really think an attack to my server which have small bandwidth can do that.

I'm actually a very newbie in this things, so I welcome any idea, cause I'm really confused of what to do.

Right now I'm looking into APF suggested by david510 (thanks).

[CretaForce]

Filtering ssh2 brute force attacks is a good idea but it will not help. The question is why the provider disconnect your server. Are you sure they said that someone tries to brute force your server accounts, and not that your server runs the brute force program and tries to brute force other servers?

[antony7777]

Yes, I'm very sure, I'll not misunderstand it if they say my server is running the brute force progame <g>..

Also my auth.log got a lot of SSHD Failed password entries.. which I considered quite normal, and good cause that means my users' password are good.

So the provider claimed that the UDP flood caused problem in their network.. so they have to block me.. I'm asking for full report about this attack, dunno if I will get it or not.

[CretaForce]

Code:

Nov 23 03:02:30 server1 sshd[79259]: Invalid user ts from 66.79.163.110
Nov 23 03:02:30 server1 sshd[79258]: Invalid user ts from 66.79.163.110
Nov 23 03:02:31 server1 sshd[79262]: Invalid user ts from 66.79.163.110
Nov 23 03:02:31 server1 sshd[79263]: Invalid user ts from 66.79.163.110
Nov 23 03:02:31 server1 sshguard[70129]: Blocking 66.79.163.110: 4 failures over 1 seconds.
Nov 23 04:02:00 server1 sshd[81567]: Invalid user staff from 216.143.153.91
Nov 23 04:02:00 server1 sshd[81568]: Invalid user staff from 216.143.153.91
Nov 23 04:02:01 server1 sshd[81574]: Invalid user sales from 216.143.153.91
Nov 23 04:02:01 server1 sshd[81573]: Invalid user sales from 216.143.153.91
Nov 23 04:02:01 server1 sshguard[70129]: Blocking 216.143.153.91: 4 failures over 1 seconds.

That is from my logs. We get daily many ssh2 attacks and we use sshguard to block them using ipfw (freebsd firewall). Before we setup sshguard we got more than 150-200 such lines daily per server.

[antony7777]

Quote:

Originally Posted by CretaForce

Code:

Nov 23 03:02:30 server1 sshd[79259]: Invalid user ts from 66.79.163.110
Nov 23 03:02:30 server1 sshd[79258]: Invalid user ts from 66.79.163.110
Nov 23 03:02:31 server1 sshd[79262]: Invalid user ts from 66.79.163.110
Nov 23 03:02:31 server1 sshd[79263]: Invalid user ts from 66.79.163.110
Nov 23 03:02:31 server1 sshguard[70129]: Blocking 66.79.163.110: 4 failures over 1 seconds.
Nov 23 04:02:00 server1 sshd[81567]: Invalid user staff from 216.143.153.91
Nov 23 04:02:00 server1 sshd[81568]: Invalid user staff from 216.143.153.91
Nov 23 04:02:01 server1 sshd[81574]: Invalid user sales from 216.143.153.91
Nov 23 04:02:01 server1 sshd[81573]: Invalid user sales from 216.143.153.91
Nov 23 04:02:01 server1 sshguard[70129]: Blocking 216.143.153.91: 4 failures over 1 seconds.

That is from my logs. We get daily many ssh2 attacks and we use sshguard to block them using ipfw (freebsd firewall). Before we setup sshguard we got more than 150-200 such lines daily per server.

Yes, I got the very same entries, someone even tried for 5 hours straight.

Code:

Nov 18 23:52:15 obuku sshd[10386]: Failed password for invalid user nagios from 163.239.22.220 port 46267 ssh2
Nov 18 23:52:16 obuku sshd[10388]: Invalid user nagios from 163.239.22.220
Nov 18 23:52:16 obuku sshd[10388]: (pam_unix) check pass; user unknown
Nov 18 23:52:16 obuku sshd[10388]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=as07220.sogang.ac.kr 
Nov 18 23:52:17 obuku sshd[10389]: Invalid user jada from 89.121.210.4
Nov 18 23:52:17 obuku sshd[10389]: (pam_unix) check pass; user unknown
Nov 18 23:52:17 obuku sshd[10389]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.121.210.4 
Nov 18 23:52:18 obuku sshd[10388]: Failed password for invalid user nagios from 163.239.22.220 port 46624 ssh2
Nov 18 23:52:19 obuku sshd[10389]: Failed password for invalid user jada from 89.121.210.4 port 52834 ssh2
Nov 18 23:52:19 obuku sshd[10392]: Invalid user backuppc from 163.239.22.220
Nov 18 23:52:19 obuku sshd[10392]: (pam_unix) check pass; user unknown
Nov 18 23:52:19 obuku sshd[10392]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=as07220.sogang.ac.kr 
Nov 18 23:52:22 obuku sshd[10392]: Failed password for invalid user backuppc from 163.239.22.220 port 46972 ssh2
Nov 18 23:52:22 obuku sshd[10394]: Invalid user kendall from 89.121.210.4
Nov 18 23:52:22 obuku sshd[10394]: (pam_unix) check pass; user unknown

I'll install sshguard now. Ok, that's for the ssh brute force..

Is there any solution for the udp flood? I mean if the party responsible for it decides to flood me again, I'm down again. I feel so helpless.

[vanHelsing]

Check fail2ban:
http://www.fail2ban.org/wiki/index.php/Main_Page

[chennaihomie]

See this thread. http://www.webhostingtalk.com/showthread.php?t=651496
I have posted a software about security. That should really help you a lot. My friend is one of the developer. It works very well.

[antony7777]

I finally decided to install fail2ban.. since it covers more than just ssh (CMIIW)..

thanks all..

[vanHelsing]

Nice to hear. So tell us then how it went...

[antony7777]

Since I combined installing fail2ban with:

- changing my ssh port.
- limit connection to port 22 by 4 per minute.
- harrasing any IP I found in my auth.log to check their servers (hey.. it's also for their own good )

I haven't got a single brute force attack on mu auth.log till now.. the fail2ban.log is clean till now.

[rSyncTechnologies]

Fail2ban seems better than BFD/cPanel Hulk then ?