Results 1 to 13 of 13
  1. #1

    Exclamation This was an SSH Attack?

    My server stop responding, I couldn't access via webmin or ssh, and DNS were not responding, so I have to ask for a reboot and now everything is fine.

    Looking at the logs I found this:

    Code:
    Jul 18 19:23:12 server sshd[18484]: Failed password for root from 61.145.196.117 port 56817 ssh2
    Jul 18 19:23:12 server sshd[18485]: Failed password for root from 61.145.196.117 port 60227 ssh2
    Jul 18 19:23:13 server sshd[18488]: Failed password for root from 61.145.196.117 port 38038 ssh2
    Jul 18 19:23:15 server sshd[18493]: Failed password for root from 61.145.196.117 port 49884 ssh2
    Jul 18 19:24:30 server sshd[18497]: Failed password for root from 61.145.196.117 port 37929 ssh2
    Jul 18 19:25:06 server sshd[18521]: Did not receive identification string from 61.145.196.117
    Jul 18 19:25:09 server sshd[18508]: Did not receive identification string from 61.145.196.117
    Jul 18 19:25:14 server sshd[18505]: fatal: Timeout before authentication for UNKNOWN
    Jul 18 19:26:00 server sshd[18509]: Did not receive identification string from 61.145.196.117
    And searching that IP on google I found it here: http://www.tcc.edu.tw/netbase/net/in...?fun=240&prd=3
    And is flagged as a SSH Attack.

    Any ideas why my server stopped working? and how to prevent it?

    Im using CentOS 5.0
    Thanks
    --

  2. #2
    maybe you should use apf + bfd to minimize/block ssh attack, or try this simple script

    #!/bin/bash
    #This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
    #Chad
    LOGFILE=”/var/log/secure”
    HOSTSDENY=”/etc/hosts.deny”
    BADCOUNT=”5″
    # read logfile and look for invalid login attemps
    grep sshd $LOGFILE |grep “Invalid user”| awk ‘{print $NF}’|sort|uniq -c|sort -n|sed “s/[[pace:]]*//” | while
    read i
    do
    # read number of failed attempts
    count=`echo $i | cut -d” ” -f1`
    # read ip address from failed attempt
    ip=`echo $i | cut -d” ” -f2`
    #check hostdeny file to see if IP already exist
    already=`grep $ip $HOSTSDENY | grep sshd`
    #if IP does not exist add it to hostdeny file
    if [ -z "$already" ]
    then
    if [ "$count" -ge "$BADCOUNT" ]
    then
    echo “sshd: “$ip >> $HOSTSDENY
    fi
    fi
    done

    this script will automatic block ip and list on hosts.deny and to run you should schedule in cron 1 or 2 minute.
    Last edited by defomaz; 07-18-2009 at 10:57 PM.

  3. #3
    Install denyhosts <<snipped>>
    Last edited by Chris_M; 09-25-2009 at 10:35 AM.

  4. #4
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    I doubt that would take the server down. How soon after that happened did your server die? The only real concern with a brute force attack and the server crashing is if it overloads the server - the snippet you showed does not seem to indicate they were hitting the server too bad.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  5. #5
    The server is down again!

  6. #6
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Do you know what the server load was when it died? That would give a good idea of if it really has any chance of being related to a brute force or if you should be looking elsewhere. Running top and taking a look at it when the server crashes can be pretty helpful in an instance like you have now.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  7. #7
    What log files should I check out?

    /var/log/messages
    Code:
    Jul 19 02:17:59 server ntpd[2607]: synchronized to 69.36.241.112, stratum 2
    Jul 19 02:24:25 server ntpd[2607]: synchronized to 66.250.45.2, stratum 2
    Jul 19 02:28:54 server kernel: [  976.974199] ip_tables: (C) 2000-2006 Netfilter Core Team
    Jul 19 02:28:56 server kernel: [  978.725889] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
    Jul 19 02:35:09 server ntpd[2607]: time reset -14399.291830 s
    Jul 18 22:38:42 server ntpd[2607]: synchronized to 66.250.45.2, stratum 2
    Jul 18 22:43:49 server smartd[3086]: System clock time adjusted to the past. Resetting next wakeup time. 
    Jul 18 23:35:36 server ntpd[2607]: synchronized to 69.36.241.112, stratum 2
    Jul 18 23:43:45 server named[2271]: lame server resolving '248.5.200.220.in-addr.arpa' (in '5.200.220.in-addr.arpa'?): 211.97.104.129#53
    Jul 18 23:43:46 server last message repeated 5 times
    Jul 18 23:47:20 server ntpd[2607]: synchronized to 66.250.45.2, stratum 2
    Jul 19 00:18:37 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53
    Jul 19 00:18:37 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53
    Jul 19 00:18:38 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53
    Jul 19 00:18:39 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53
    Jul 19 00:18:39 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53
    Jul 19 00:18:40 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53
    Jul 19 00:18:40 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53
    Jul 19 00:18:41 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53
    Jul 19 00:18:41 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53
    Jul 19 00:18:41 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53
    Jul 19 00:18:42 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53
    Jul 19 00:18:42 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53
    Jul 19 00:57:32 server named[2271]: unexpected RCODE (REFUSED) resolving '164.25.230.80.in-addr.arpa/PTR/IN': 193.0.0.193#53
    Jul 19 00:57:33 server named[2271]: lame server resolving '164.25.230.80.in-addr.arpa' (in '25.230.80.in-addr.arpa'?): 192.116.192.9#53
    Jul 19 00:58:28 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53
    Jul 19 00:58:28 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53
    Jul 19 00:58:28 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53
    Jul 19 00:58:29 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53
    Jul 19 00:58:29 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53
    Jul 19 00:58:30 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53
    Jul 19 00:58:30 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53
    Jul 19 00:58:31 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53
    Jul 19 00:58:31 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53
    Jul 19 00:58:32 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53
    Jul 19 00:58:32 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53
    Jul 19 00:58:33 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53
    Jul 19 01:16:02 server named[2271]: lame server resolving '60.12.11.116.in-addr.arpa' (in '12.11.116.in-addr.arpa'?): 202.103.224.70#53
    Jul 19 12:26:06 server syslogd 1.4.1: restart.
    --

  8. #8
    Join Date
    Mar 2009
    Posts
    245
    There are some ip bots which scans all over internet trying to access ssh,i saw this in log on one machine.That's way i disabled ssh for all except for my own ip,and it seems server works better now.To detect what exactly causing server down,you will need to monitor with top command constantly to see which process is very active.

  9. #9
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    Bots attempting login don't present much of a load, not in my experience. Provided you do not support password logins, their attempts are futile.

    Then again the pf firewall configuration on our public facing machines automatically and reliably punts these "people" to oblivion after a few attempts. They get no access, not ssh, web, mail, etc... I do this partly for security, partly for tighter logs.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  10. #10
    Join Date
    Dec 2000
    Location
    The Woodlands, Tx
    Posts
    5,974
    All I have seen posted above is pretty usual. Bots try millions of times a day across all the servers I handle. They are scanning usual usernames and various commonly used passwords. They will be found in the logs of almost any linux box on the internet. There is something else going on that is taking your machine down.

    What could it be? I dont know, not my machine. It could be something as simple as an ip conflict, net port going out, etc, etc. Does the machine just go offline? Or does it have an error onscreen when the dc tech goes to reboot it?

  11. #11
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    To stop the bot scanners, install CSF+BFD, some mod_security rules, and call it a day as you watch your ban list grow by the hour
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  12. #12
    CSF and LFD are very easy to install and to configure – especially if you are using a cpanel & WHM server
    SUPPORT FACILITY | 24/7 TECH SUPPORT
    SERVER MANAGEMENT | WEB HOSTING SUPPORT | WP EXPERTS

  13. #13
    Join Date
    Oct 2007
    Location
    India
    Posts
    431
    Install fail2ban and configure it to block hosts who try to brute force SSH.

    Also configure your IP tables to limit the number of requests / sec coming into SSH.
    "For I know the plans I have for you" declares our Lord Jesus Christ, "they are plans to prosper you, to give you a hope and a future and not to destroy you." - Jeremiah 29:11

Similar Threads

  1. Dos attack !!! Help !!!
    By capote in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-06-2006, 04:56 AM
  2. Attack Your own Web App?
    By KGIII in forum Programming Discussion
    Replies: 0
    Last Post: 05-22-2006, 11:58 AM
  3. Replies: 14
    Last Post: 11-22-2003, 05:40 AM
  4. Replies: 8
    Last Post: 11-13-2003, 10:14 PM
  5. DOS Attack
    By supernetsol in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-14-2002, 11:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •