Brute force SSH attacks.

Leave a reply

I have spoken to a good few people and on the matter and one thing they consistantly ask is “How do I know my server is under attack?”, its simple really… if you keep a close eye (in Ubuntu at least) on /var/log/auth.log, you can see all login attempts on the system. Here is an example log of a brute force attack on my very own server…

Dec 7 01:30:02 phonebox sshd[14378]: Invalid user aleph from 60.19.28.27
Dec 7 01:30:02 phonebox sshd[14378]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:30:02 phonebox sshd[14378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:30:04 phonebox sshd[14378]: Failed password for invalid user aleph from 60.19.28.27 port 16699 ssh2
Dec 7 01:30:08 phonebox sshd[14461]: Invalid user pechantal from 60.19.28.27
Dec 7 01:30:08 phonebox sshd[14461]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:30:08 phonebox sshd[14461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:30:10 phonebox sshd[14461]: Failed password for invalid user pechantal from 60.19.28.27 port 17732 ssh2
Dec 7 01:30:14 phonebox sshd[14464]: Invalid user komtemp from 60.19.28.27
Dec 7 01:30:14 phonebox sshd[14464]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:30:14 phonebox sshd[14464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:30:16 phonebox sshd[14464]: Failed password for invalid user komtemp from 60.19.28.27 port 18807 ssh2
Dec 7 01:30:20 phonebox sshd[14466]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27 user=root
Dec 7 01:30:22 phonebox sshd[14466]: Failed password for root from 60.19.28.27 port 19764 ssh2
Dec 7 01:30:54 phonebox sshd[14470]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27 user=root
Dec 7 01:30:56 phonebox sshd[14470]: Failed password for root from 60.19.28.27 port 26354 ssh2
Dec 7 01:30:59 phonebox sshd[14473]: Invalid user test from 60.19.28.27
Dec 7 01:31:00 phonebox sshd[14473]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:00 phonebox sshd[14473]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:01 phonebox sshd[14473]: Failed password for invalid user test from 60.19.28.27 port 27410 ssh2
Dec 7 01:31:05 phonebox sshd[14475]: Invalid user teste from 60.19.28.27
Dec 7 01:31:05 phonebox sshd[14475]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:05 phonebox sshd[14475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:07 phonebox sshd[14475]: Failed password for invalid user teste from 60.19.28.27 port 28724 ssh2
Dec 7 01:31:10 phonebox sshd[14477]: Invalid user teste from 60.19.28.27
Dec 7 01:31:10 phonebox sshd[14477]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:10 phonebox sshd[14477]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:12 phonebox sshd[14477]: Failed password for invalid user teste from 60.19.28.27 port 29661 ssh2
Dec 7 01:31:15 phonebox sshd[14479]: Invalid user teste from 60.19.28.27
Dec 7 01:31:16 phonebox sshd[14479]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:16 phonebox sshd[14479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:18 phonebox sshd[14479]: Failed password for invalid user teste from 60.19.28.27 port 30627 ssh2
Dec 7 01:31:21 phonebox sshd[14482]: Invalid user pa$$w0rd from 60.19.28.27
Dec 7 01:31:22 phonebox sshd[14482]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:22 phonebox sshd[14482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:23 phonebox sshd[14482]: Failed password for invalid user pa$$w0rd from 60.19.28.27 port 31753 ssh2
Dec 7 01:31:26 phonebox sshd[14484]: Invalid user testing from 60.19.28.27
Dec 7 01:31:27 phonebox sshd[14484]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:27 phonebox sshd[14484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:28 phonebox sshd[14484]: Failed password for invalid user testing from 60.19.28.27 port 32702 ssh2
Dec 7 01:31:32 phonebox sshd[14486]: Invalid user tst from 60.19.28.27
Dec 7 01:31:32 phonebox sshd[14486]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:32 phonebox sshd[14486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:35 phonebox sshd[14486]: Failed password for invalid user tst from 60.19.28.27 port 33652 ssh2
Dec 7 01:31:38 phonebox sshd[14489]: Invalid user spam from 60.19.28.27
Dec 7 01:31:38 phonebox sshd[14489]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 01:31:38 phonebox sshd[14489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.19.28.27
Dec 7 01:31:40 phonebox sshd[14489]: Failed password for invalid user spam from 60.19.28.27 port 34704 ssh2

Now, there is a lot more activity in the log than this, however this should give the general idea of what to look out for… If you happen to be lucky enough to have a MikroTik router, you can help slow or prevent this with some creative firewall rules, here are the rules I am using for this, as provided in the MikroTik WiKi.

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”drop ssh brute forcers” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment=”" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=adadd chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment=”drop ssh brute downstream” disabled=nod-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=”" disabled=no

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>