Results 1 to 13 of 13
Thread: This was an SSH Attack?
-
07-18-2009, 10:38 PM #1Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 88
This was an SSH Attack?
My server stop responding, I couldn't access via webmin or ssh, and DNS were not responding, so I have to ask for a reboot and now everything is fine.
Looking at the logs I found this:
Code:Jul 18 19:23:12 server sshd[18484]: Failed password for root from 61.145.196.117 port 56817 ssh2 Jul 18 19:23:12 server sshd[18485]: Failed password for root from 61.145.196.117 port 60227 ssh2 Jul 18 19:23:13 server sshd[18488]: Failed password for root from 61.145.196.117 port 38038 ssh2 Jul 18 19:23:15 server sshd[18493]: Failed password for root from 61.145.196.117 port 49884 ssh2 Jul 18 19:24:30 server sshd[18497]: Failed password for root from 61.145.196.117 port 37929 ssh2 Jul 18 19:25:06 server sshd[18521]: Did not receive identification string from 61.145.196.117 Jul 18 19:25:09 server sshd[18508]: Did not receive identification string from 61.145.196.117 Jul 18 19:25:14 server sshd[18505]: fatal: Timeout before authentication for UNKNOWN Jul 18 19:26:00 server sshd[18509]: Did not receive identification string from 61.145.196.117
And is flagged as a SSH Attack.
Any ideas why my server stopped working? and how to prevent it?
Im using CentOS 5.0
Thanks--
-
07-18-2009, 10:52 PM #2Newbie
- Join Date
- May 2009
- Posts
- 10
maybe you should use apf + bfd to minimize/block ssh attack, or try this simple script
#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE=”/var/log/secure”
HOSTSDENY=”/etc/hosts.deny”
BADCOUNT=”5″
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep “Invalid user”| awk ‘{print $NF}’|sort|uniq -c|sort -n|sed “s/[[pace:]]*//” | while
read i
do
# read number of failed attempts
count=`echo $i | cut -d” ” -f1`
# read ip address from failed attempt
ip=`echo $i | cut -d” ” -f2`
#check hostdeny file to see if IP already exist
already=`grep $ip $HOSTSDENY | grep sshd`
#if IP does not exist add it to hostdeny file
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo “sshd: “$ip >> $HOSTSDENY
fi
fi
done
this script will automatic block ip and list on hosts.deny and to run you should schedule in cron 1 or 2 minute.Last edited by defomaz; 07-18-2009 at 10:57 PM.
-
07-19-2009, 07:02 AM #3Junior Guru Wannabe
- Join Date
- Mar 2009
- Posts
- 75
Install denyhosts <<snipped>>
Last edited by Chris_M; 09-25-2009 at 10:35 AM.
-
07-19-2009, 07:38 AM #4Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
I doubt that would take the server down. How soon after that happened did your server die? The only real concern with a brute force attack and the server crashing is if it overloads the server - the snippet you showed does not seem to indicate they were hitting the server too bad.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
07-19-2009, 08:02 AM #5Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 88
The server is down again!
-
07-19-2009, 08:04 AM #6Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Do you know what the server load was when it died? That would give a good idea of if it really has any chance of being related to a brute force or if you should be looking elsewhere. Running top and taking a look at it when the server crashes can be pretty helpful in an instance like you have now.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
07-19-2009, 08:42 AM #7Junior Guru Wannabe
- Join Date
- Jul 2003
- Posts
- 88
What log files should I check out?
/var/log/messages
Code:Jul 19 02:17:59 server ntpd[2607]: synchronized to 69.36.241.112, stratum 2 Jul 19 02:24:25 server ntpd[2607]: synchronized to 66.250.45.2, stratum 2 Jul 19 02:28:54 server kernel: [ 976.974199] ip_tables: (C) 2000-2006 Netfilter Core Team Jul 19 02:28:56 server kernel: [ 978.725889] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) Jul 19 02:35:09 server ntpd[2607]: time reset -14399.291830 s Jul 18 22:38:42 server ntpd[2607]: synchronized to 66.250.45.2, stratum 2 Jul 18 22:43:49 server smartd[3086]: System clock time adjusted to the past. Resetting next wakeup time. Jul 18 23:35:36 server ntpd[2607]: synchronized to 69.36.241.112, stratum 2 Jul 18 23:43:45 server named[2271]: lame server resolving '248.5.200.220.in-addr.arpa' (in '5.200.220.in-addr.arpa'?): 211.97.104.129#53 Jul 18 23:43:46 server last message repeated 5 times Jul 18 23:47:20 server ntpd[2607]: synchronized to 66.250.45.2, stratum 2 Jul 19 00:18:37 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53 Jul 19 00:18:37 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53 Jul 19 00:18:38 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53 Jul 19 00:18:39 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53 Jul 19 00:18:39 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53 Jul 19 00:18:40 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53 Jul 19 00:18:40 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53 Jul 19 00:18:41 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53 Jul 19 00:18:41 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53 Jul 19 00:18:41 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53 Jul 19 00:18:42 server named[2271]: unexpected RCODE (REFUSED) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.10#53 Jul 19 00:18:42 server named[2271]: unexpected RCODE (SERVFAIL) resolving '19.107.69.118.in-addr.arpa/PTR/IN': 210.245.31.130#53 Jul 19 00:57:32 server named[2271]: unexpected RCODE (REFUSED) resolving '164.25.230.80.in-addr.arpa/PTR/IN': 193.0.0.193#53 Jul 19 00:57:33 server named[2271]: lame server resolving '164.25.230.80.in-addr.arpa' (in '25.230.80.in-addr.arpa'?): 192.116.192.9#53 Jul 19 00:58:28 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53 Jul 19 00:58:28 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53 Jul 19 00:58:28 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53 Jul 19 00:58:29 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53 Jul 19 00:58:29 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53 Jul 19 00:58:30 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53 Jul 19 00:58:30 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53 Jul 19 00:58:31 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53 Jul 19 00:58:31 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53 Jul 19 00:58:32 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53 Jul 19 00:58:32 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 203.130.196.5#53 Jul 19 00:58:33 server named[2271]: lame server resolving '182.206.96.118.in-addr.arpa' (in '206.96.118.in-addr.arpa'?): 202.134.0.62#53 Jul 19 01:16:02 server named[2271]: lame server resolving '60.12.11.116.in-addr.arpa' (in '12.11.116.in-addr.arpa'?): 202.103.224.70#53 Jul 19 12:26:06 server syslogd 1.4.1: restart.
--
-
07-19-2009, 07:49 PM #8Junior Guru
- Join Date
- Mar 2009
- Posts
- 245
There are some ip bots which scans all over internet trying to access ssh,i saw this in log on one machine.That's way i disabled ssh for all except for my own ip,and it seems server works better now.To detect what exactly causing server down,you will need to monitor with top command constantly to see which process is very active.
-
07-19-2009, 09:27 PM #9Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
Bots attempting login don't present much of a load, not in my experience. Provided you do not support password logins, their attempts are futile.
Then again the pf firewall configuration on our public facing machines automatically and reliably punts these "people" to oblivion after a few attempts. They get no access, not ssh, web, mail, etc... I do this partly for security, partly for tighter logs.“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
07-20-2009, 11:26 AM #10Web Hosting Master
- Join Date
- Dec 2000
- Location
- The Woodlands, Tx
- Posts
- 5,974
All I have seen posted above is pretty usual. Bots try millions of times a day across all the servers I handle. They are scanning usual usernames and various commonly used passwords. They will be found in the logs of almost any linux box on the internet. There is something else going on that is taking your machine down.
What could it be? I dont know, not my machine. It could be something as simple as an ip conflict, net port going out, etc, etc. Does the machine just go offline? Or does it have an error onscreen when the dc tech goes to reboot it?
-
07-20-2009, 11:33 AM #11Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
To stop the bot scanners, install CSF+BFD, some mod_security rules, and call it a day as you watch your ban list grow by the hour
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
07-20-2009, 12:48 PM #12Support Facility
- Join Date
- Jun 2009
- Posts
- 2,335
CSF and LFD are very easy to install and to configure – especially if you are using a cpanel & WHM server
-
07-22-2009, 07:14 AM #13Aspiring Evangelist
- Join Date
- Oct 2007
- Location
- India
- Posts
- 431
Install fail2ban and configure it to block hosts who try to brute force SSH.
Also configure your IP tables to limit the number of requests / sec coming into SSH."For I know the plans I have for you" declares our Lord Jesus Christ, "they are plans to prosper you, to give you a hope and a future and not to destroy you." - Jeremiah 29:11
Similar Threads
-
Dos attack !!! Help !!!
By capote in forum Hosting Security and TechnologyReplies: 5Last Post: 06-06-2006, 04:56 AM -
Attack Your own Web App?
By KGIII in forum Programming DiscussionReplies: 0Last Post: 05-22-2006, 11:58 AM -
Shop Grenade attack kills 4, injures 20. Looks like a religious attack or...
By Critic in forum Web Hosting LoungeReplies: 14Last Post: 11-22-2003, 05:40 AM -
Website attack - Need host that can protect against attack
By dysfirkin in forum Web HostingReplies: 8Last Post: 11-13-2003, 10:14 PM -
DOS Attack
By supernetsol in forum Hosting Security and TechnologyReplies: 4Last Post: 08-14-2002, 11:05 PM