I have quite a few entries in /var/log/messages for connection attempts. Is there anything other than ignoring them I can do? Example is below.
Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-234-149-156.lv.lv.cox.net
THanks,
Jerry
If your circumstances allow it, I suggest moving your sshd to a port other than 22. That stopped it for me.
Marko
On Sun, August 21, 2005 3:03 pm, Jerry Geis said:
I have quite a few entries in /var/log/messages for connection attempts. Is there anything other than ignoring them I can do? Example is below.
Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-234-149-156.lv.lv.cox.net
THanks,
Jerry
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marko A. Jennings Sent: Sunday, August 21, 2005 5:07 PM To: centos@centos.org Subject: Re: [CentOS] Entries in /var/log/messages
If your circumstances allow it, I suggest moving your sshd to a port other than 22. That stopped it for me.
Marko
On Sun, August 21, 2005 3:03 pm, Jerry Geis said:
I have quite a few entries in /var/log/messages for connection attempts. Is there anything other than ignoring them I can do? Example is below.
Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-234-149-156.lv.lv.cox.net
THanks,
Jerry
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
In addition, there are options in the /etc/ssh/sshd_config file to limit allowed users. Such as AllowUsers username. Also, setting PermitRootLogin no Will increase safety.
On Sun, 2005-08-21 at 17:03 -0500, Jerry Geis wrote:
I have quite a few entries in /var/log/messages for connection attempts. Is there anything other than ignoring them I can do? Example is below.
There are a number of scripts (some Perl, some Python) out there to monitor the log and add an entry in hosts.deny to block any further attempts from the offending IP when too many failed password attempts are noted. You can find them with some "googling".
I am using a modified one to stop these breakin attempts on my servers.
Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-234-149-156.lv.lv.cox.net
THanks,
Jerry
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Jerry Geis wrote:
I have quite a few entries in /var/log/messages for connection attempts. Is there anything other than ignoring them I can do? Example is below.
Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-234-149-156.lv.lv.cox.net
Heh. Welcome to the club. If you've got a well connected machine, and it's listening on any ports, you'll get these. I sometimes get 100-200k logwatch reports and it's all idiots trying to run dictionary attacks against ssh. It comes in waves. Some days I don't get any.
All you can really do is filter the naughty IP addresses, but that doesn't really do a whole lot of good since they rarely come from the same place twice. Back in the days when this was so common, I'd make an effort to find the netblock owner and warn them that one of their machines had been compromised, but that's not even worth the effort anymore. A lot of times, it's from some big ISP who just drops those complaints on the floor...especially if it's in the far east.
Cheers,
On 22/08/2005 13:50, Chris Mauritz wrote:
All you can really do is filter the naughty IP addresses, but that doesn't really do a whole lot of good since they rarely come from the same place twice.
Don't forget TCP wrappers - create a list of those addresses (or domains) allowed to connect to sshd in /etc/hosts.allow.
(Don't forget the DENY in /etc/hosts.deny, though.)
Mike.
This message has been scanned for viruses by MailController - www.MailController.altohiway.com
Chris Mauritz wrote:
Jerry Geis wrote:
I have quite a few entries in /var/log/messages for connection attempts. Is there anything other than ignoring them I can do? Example is below.
Aug 21 15:48:19 machine sshd(pam_unix)[17903]: check pass; user unknown Aug 21 15:48:19 machine sshd(pam_unix)[17903]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-234-149-156.lv.lv.cox.net
If you don't have a lot of addresses that need access to ssh, you may find it easiest and best to simply do a deny all, but allow some.
--In /etc/hosts.deny add
sshd : ALL
which does the deny all part...
--Then in /etc/hosts.allow add (substituting your IP address(es))
sshd : 192.243.74. : allow
to add a whole class C. or
sshd : localhost : allow
if there is a need to use localhost or
sshd : 192.243.74.5
for a particular IP address.
Restart services as needed. I'm not sure exactly which ones need to be restarted. I normally do sshd and networking, which does do the trick, but might be more than needed.
Be careful if this is a remote machine. If you get it wrong you may lock yourself out. If you're on a dynamic IP range... as in dialup... again, care must be taken.
I find it much easier to set up allows, than to do denies. It would depend on the situation.
There are also several packages available to block attempts after 'so many bad attempts', but if your situation is simple, it's easier to just do the above.
John Hinton
John Hinton webmaster@ew3d.com wrote:
Restart services as needed. I'm not sure exactly which ones need to be restarted. I normally do sshd and networking, which does do the trick, but might be more than needed.
All SSH 2 implementation should take a SIGHUP. They are supposed to not only re-read the configuration, but not lose any existing connections.
So try: # killall -1 sshd
Be careful if this is a remote machine. If you get it wrong you may lock yourself out.
Which is why it can't hurt to try the new configuration on an alternative port.
# sshd -p 8022
Now note you _will_ need to change things like your TCP wrappers (/etc/hosts.allow, hosts.deny) to match that port for testing. But it will at least give you an idea if the TCP wrapper and configuration changes are correct.
If it works, kill the new sshd instance and change the TCP wrapper config to the production port and try it.
I find it much easier to set up allows, than to do denies. It would depend on the situation.
Are you talking the "AllowUsers" directive? Or TCP Wrappers? Their logic/follow-through is greatly differing.
There are also several packages available to block attempts after 'so many bad attempts', but if your situation is simple, it's easier to just do the above.
If you run Internet servers regularly, it's worth the time invested to learn some basic intrusion prevention systems/solutions (IPS) like PortSentry.
-
Bryan J. Smith -
Chris Mauritz -
Jerry Geis -
John Hinton -
Kevin Krieser -
Marko A. Jennings -
Mike Zanker -
Rich Huff