[CentOS] Failed attempts

Mon Nov 27 21:11:21 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Mon, November 27, 2017 1:02 pm, m.roth at 5-cent.us wrote:
> Pete Biggs wrote:
>> On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
>>> hi All,
>>>
>>> I happened to login to one of my servers today and saw 96000 failed
>>> login attempts. shown below is the address its coming from. I added it
> to my
>>> firewall to drop.
>>>
>>> Failed password for root from 123.183.209.135 port 14299 ssh2
>>>
>>> FYI - others might be seeing it also.
>>>
>> As others have said, it's normal: dictionary based brute forcing of
>> root; and no surprise that that IP is based in China. Welcome to the
>> Internet.
>
> As opposed to, say, Brazil (yes, for some reason, a lot hit us from
> there).

(In addition to what others mentioned) I see a lot originating from
Russia, Romania, India, Japan. (one might be surprised about the Japan,
but I figure, they do not use much of professional sysadmins, as people on
average are very smart there... hence the net result ;-)

Valeri

>>
>> Primarily you need to make sure your root password is strong so it
>> isn't vulnerable to this sort of attack. If it is, then the most nasty
>> thing about this sort of thing is that your logs fill up.
>>
>> For your sanity then you can do the following:
>>
>>   - disallow ssh root logins by password (login as an unprivileged user
>>  or use keys)
>
> If you're not doing the above, you should start doing that... about 10
> years ago. Disallow root login except via keys this very minute, and do it
> everywhere.
>>
>>   - run something like fail2ban which will block a host for a
>> predetermined amount of time after a number of failures.
>
> We've been running fail2ban at work for a good bunch of years, and I run
> it at home. It's good, and std. repo.
>>
>>   - don't run ssh on 22, use a different port.  (Things get a lot
>> quieter when you do that, but it comes with it's own problems and don't
>> get complacent because someone will find the port eventually.)
>
> I consider that pointless security-through-obscurity.
>>
>>   - if you only have a limited number of hosts or subnets logging in to
>> your machine, adjust the firewall so that only they are allowed
>> through.
>
> Yep. And iptables rules are not that big a deal to write.
>
>          mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++