Who is trying to break in?

B

balanga

Is there any way of creating a simple list of IP addresses attempting to break in via SSH?

I guess all the info is stored in /var/log/auth.log.... so does anyone have a ready made sedscript or somesuch to extract IP addresses?
 
I am afraid to ask. Why might I see this in my logs, considering this is a server and not a desktop.

Code: 
sshd[19066]: Bad protocol version identification 'GET http://www.baidu.com/cache/global/img/gs.gif HTTP/1.1' from 94.102.49.174 port 48239
sshd[19919]: Bad protocol version identification 'GET http://www.baidu.com/cache/global/img/gs.gif HTTP/1.1' from 93.174.93.136 port 56589
 
Thats just standard random noise on the net I'd say - extensively logging everything that comes in (and/or gets rejected/blocked) on ports like ssh is mostly a huge waste of logfile-sanity. If you'd log any connection attempt on SMB/NETBIOS ports logs grow into the multiple-MB ranges within a few minutes and 95% of this traffic is just stupid windows machines directly connected to the internet or behind misconfigured plastic-routers... Keep your logfiles as clean as possible of random noise, so in case there is _really_ something fishy going on, you can detect and analyze it properly.

To get rid of most noise on ports that are actually used/needed (ssh) I use the really nice 'overload' rules for PF to block the standard bruteforce- or scriptkiddy-'attacks' that come in every day.
On mailservers I also use spamd and put spammers on a tiny bandwidth queue with only a few bytes/sec, so they stick around very long until the connection ends or is forcefully dropped. It seems more and more spam networks use some kind of tarpit detection and avoid wasting open connections to very slow hosts, so they won't come back.
 
It's one of the many bots on the internet that are scanning for vulnerable machines. Apparently this one thinks people are running web servers on port 22 and it's trying to see if it's an open proxy.

As for the original question, use something like security/sshguard or security/py-fail2ban to automatically block incoming connections after a few failed attempts.
 
Thanks guys. I have my /etc/ssh/sshd_config slightly modified; to consider valid login only from a select few address, but that's about it.

SirDice said:
.....use something like security/sshguard or security/py-fail2ban to automatically block incoming connections after a few failed attempts.
Click to expand...

I really need to take off my 'big router' guy hat, think with a server guy mindset (hat included), grab a few cold beer, and really go through the ports tree and see what's available for me to use and enjoy.

Thanks again guys.
 
PacketMan said:
Thanks guys. I have my /etc/ssh/sshd_config slightly modified; to consider valid login only from a select few address, but that's about it.



I really need to take off my 'big router' guy hat, think with a server guy mindset (hat included), grab a few cold beer, and really go through the ports tree and see what's available for me to use and enjoy.

Thanks again guys.
Click to expand...


I may well disable sshd since I've just found I can access my server using vSphere Client.
 
SirDice said:
It's one of the many bots on the internet that are scanning for vulnerable machines. Apparently this one thinks people are running web servers on port 22 and it's trying to see if it's an open proxy.

As for the original question, use something like security/sshguard or security/py-fail2ban to automatically block incoming connections after a few failed attempts.
Click to expand...

Actually I was just trying to find a way of isolating the IP addresses from the logfile to see who was trying to break in. I guess a sedscript would be most straightforward assuming I can figure out a regular expression for IP addresses....

Hopefully this will help http://stackoverflow.com/questions/14928573/sed-how-to-extract-ip-address-using-sed
 
balanga said:
Actually I was just trying to find a way of isolating the IP addresses from the logfile to see who was trying to break in.
Click to expand...
Please note that most of these "attacks" come from infected servers. Their owners have no clue their server is running malware.
 
Change the default port from 22 to something else, ie. 4522 which will evade a lot of scripts. Install fail2ban to catch the others, change the default settings on fail2ban from 10 minute ban or whatever to 30 days, even more. Modify sshd to disable password logins, use key to login. Will cut down on a lot of "unwanted" visitors.
 
balanga said:
Is there any way of creating a simple list of IP addresses attempting to break in via SSH? .... So does anyone have a ready made sedscript or somesuch to extract IP addresses?
Click to expand...

We use a variant of this at work quite often:
</var/log/auth.log grep -oE '([[:digit:]]+\.){3}[[:digit:]]+' | sort -rn | uniq | while read ipaddr; do fetch --quiet -o - http://ipinfo.io/${ipaddr}/json; done


Of course, on your home PC you're probably going to get a lot of local IP addresses, but http://ipinfo.io/ handles that pretty seamlessly anyway.

Code: 
[root@freebsd_pc ~]# < /var/log/auth.log grep -oE '([[:digit:]]+\.){3}[[:digit:]]+' | sort -rn | uniq | while read ipaddr; do fetch --quiet -o - http://ipinfo.io/${ipaddr}/json; done
{
  "ip": "192.168.15.223",
  "bogon": true
}{
  "ip": "0.0.0.0",
  "bogon": true
}[root@freebsd_pc ~]# fetch --quiet -o - http://ipinfo.io/8.8.8.8/json
{
  "ip": "8.8.8.8",
  "hostname": "google-public-dns-a.google.com",
  "city": "Mountain View",
  "region": "California",
  "country": "US",
  "loc": "37.3860,-122.0838",
  "org": "AS15169 Google Inc.",
  "postal": "94035"
}
BTW, that www.baidu.com entry in PacketMan's post is China's equivalent to Mountain View's Google. That searchbot and a few others index the worldwideweb so your search results don't return NULL results.
 
If you're not getting a solid wall of this stuff, it's time to check if the server is plugged in. My take is to make PermitRootLogin no, limit attempts to 3, install fail2ban. Then move on to the next project.
 
security/denyhosts has the ability to email a report.

/etc/denyhosts.conf
################################################## #####################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = localhost
SMTP_PORT = 25
 
Some more features of security/denyhosts

#######################################################################
#
# On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming
# traffic using the PF firewall instead of the hosts.deny file
# (aka tcp_wrapper).
# The admin can set up a PF table that is persistent
# and DenyHost can add new addresses to be blocked to that table.
# The TrueOS operating system enables this by default, blocking
# all addresses in the "blacklist" table.
#
# To have DenyHost update the blocking PF table in real time, uncomment
# these next two options. Make sure the table name specificed
# is one created in the pf.conf file of your operating system.
# The PFCTL_PATH variable must point to the pfctl extectuable on your OS.
 
You must log in or register to reply here.
Back
Top