Attempt to breakin

Hi all,

Can someone please help me better understand the following messages
from my server log and possibility point me in the direction to help
stop it in the future?

I think they have used just about every name in the dictionary

Thanks


Jul 6 21:37:48 findmoore sshd[7965]: Failed password for root from
61.80.30.13 port 42989 ssh2
Jul 6 21:37:53 findmoore sshd[7968]: Failed password for root from
61.80.30.13 port 42976 ssh2
Jul 6 21:37:54 findmoore sshd[7969]: Failed password for root from
61.80.30.13 port 42977 ssh2
Jul 6 21:37:56 findmoore sshd[7977]: Invalid user admin from 61.80.30.13
Jul 6 21:37:56 findmoore sshd[7977]: error: Could not get shadow
information for NOUSER
Jul 6 21:37:56 findmoore sshd[7977]: Failed password for invalid user
admin from 61.80.30.13 port 43272 ssh2
Jul 6 21:38:00 findmoore sshd[7988]: Invalid user david from 61.80.30.13


Jul 7 17:35:37 findmoore sshd[29816]: Failed password for root from
4.36.241.5 port 47369 ssh2
Jul 7 17:35:38 findmoore sshd[29820]: Invalid user backup from 4.36.241.5
Jul 7 17:35:38 findmoore sshd[29820]: error: Could not get shadow
information for NOUSER
Jul 7 17:35:38 findmoore sshd[29820]: Failed password for invalid user
backup from 4.36.241.5 port 47544 ssh2
Jul 7 17:35:40 findmoore sshd[29830]: Invalid user info from 4.36.241.5
Jul 7 17:35:40 findmoore sshd[29830]: error: Could not get shadow
information for NOUSER
Jul 7 17:35:40 findmoore sshd[29830]: Failed password for invalid user
info from 4.36.241.5 port 47595 ssh2
Jul 7 17:35:42 findmoore sshd[29832]: Invalid user shop from 4.36.241.5


Jul 7 20:14:30 findmoore sshd[15699]: Failed password for invalid user
network from 219.240.36.46 port 41960 ssh2
Jul 7 20:14:32 findmoore sshd[15701]: Invalid user word from 219.240.36.46
Jul 7 20:14:32 findmoore sshd[15701]: error: Could not get shadow
information for NOUSER
Jul 7 20:14:32 findmoore sshd[15701]: Failed password for invalid user
word from 219.240.36.46 port 42316 ssh2
Jul 7 20:14:34 findmoore sshd[15704]: Failed password for root from
219.240.36.46 port 42666 ssh2
Jul 7 20:14:37 findmoore sshd[15714]: Failed password for root from
219.240.36.46 port 43060 ssh2
Jul 7 20:14:39 findmoore sshd[15724]: Failed password for root from
219.240.36.46 port 43435 ssh2
Jul 7 20:14:41 findmoore sshd[15726]: Failed password for root from
219.240.36.46 port 43839 ssh2
Jul 7 20:14:43 findmoore sshd[15744]: Failed password for root from
219.240.36.46 port 44206 ssh2
Jul 7 20:14:45 findmoore sshd[15747]: Failed password for root from
219.240.36.46 port 44636 ssh2
Jul 7 20:14:47 findmoore sshd[15761]: Failed password for root from
219.240.36.46 port 44981 ssh2
Jul 7 20:14:49 findmoore sshd[15765]: Failed password for root from
219.240.36.46 port 45412 ssh2
Jul 7 20:14:51 findmoore sshd[15767]: Failed password for root from
219.240.36.46 port 45787 ssh2
Jul 7 20:14:53 findmoore sshd[15777]: Failed password for root from
219.240.36.46 port 46215 ssh2
Jul 7 20:14:55 findmoore sshd[15779]: Failed password for root from
219.240.36.46 port 46555 ssh2
Jul 7 20:14:57 findmoore sshd[15783]: Failed password for root from
219.240.36.46 port 46950 ssh2
Jul 7 20:15:00 findmoore sshd[15793]: Failed password for root from
219.240.36.46 port 47313 ssh2
Jul 7 20:15:02 findmoore sshd[15796]: Failed password for root from
219.240.36.46 port 47782 ssh2
Jul 7 20:15:04 findmoore sshd[15806]: Invalid user admin from 219.240.36.46


Jul 8 02:00:55 findmoore sshd[23479]: Failed password for invalid user
ellen from 147.46.9.218 port 45600 ssh2
Jul 8 02:00:57 findmoore sshd[23483]: Invalid user dexter from 147.46.9.218
Jul 8 02:00:57 findmoore sshd[23483]: error: Could not get shadow
information for NOUSER
Jul 8 02:00:57 findmoore sshd[23483]: Failed password for invalid user
dexter from 147.46.9.218 port 45660 ssh2
Jul 8 02:00:57 findmoore sshd[23486]: Invalid user emil from 147.46.9.218
Jul 8 02:00:57 findmoore sshd[23486]: error: Could not get shadow
information for NOUSER
Jul 8 02:00:57 findmoore sshd[23486]: Failed password for invalid user
emil from 147.46.9.218 port 45681 ssh2
Jul 8 02:00:58 findmoore sshd[23490]: Invalid user dick from 147.46.9.218
Jul 8 02:00:58 findmoore sshd[23490]: error: Could not get shadow
information for NOUSER

YouCanToo wrote:
> Hi all,
>
> Can someone please help me better understand the following messages
> from my server log and possibility point me in the direction to help
> stop it in the future?
>
> I think they have used just about every name in the dictionary
>
> Thanks
>
>
> Jul 6 21:37:48 findmoore sshd[7965]: Failed password for root from
> 61.80.30.13 port 42989 ssh2
> Jul 6 21:37:53 findmoore sshd[7968]: Failed password for root from
> 61.80.30.13 port 42976 ssh2
> Jul 6 21:37:54 findmoore sshd[7969]: Failed password for root from
> 61.80.30.13 port 42977 ssh2
> Jul 6 21:37:56 findmoore sshd[7977]: Invalid user admin from 61.80.30.13
> Jul 6 21:37:56 findmoore sshd[7977]: error: Could not get shadow
> information for NOUSER
> Jul 6 21:37:56 findmoore sshd[7977]: Failed password for invalid user
> admin from 61.80.30.13 port 43272 ssh2
> Jul 6 21:38:00 findmoore sshd[7988]: Invalid user david from 61.80.30.13
[snip]

seems to be a brute force attack against your ssh server. Do you need
the ssh deamon to be opened from outside your network?

If not, block the traffic from outside by a firewall. You also can
configure the ssh deamon to deny connections from not known hosts.

Eric

Eric Teuber wrote:

> If not, block the traffic from outside by a firewall. You also can
> configure the ssh deamon to deny connections from not known hosts.
>

He can also configure ssh to require a key, so that even if the password is
known, an intruder can't get access.

YouCanToo <(E-Mail Removed)> writes:

>Hi all,

> Can someone please help me better understand the following messages
>from my server log and possibility point me in the direction to help
>stop it in the future?

What is to understand? Someopne is running a script from a cracked computer
trying out various accounts and simple passwords on your system.
You cannot stop it. YOu can make sure that all your users use good
passwords.



>I think they have used just about every name in the dictionary
No, only about 30 of them.


>Thanks


>Jul 6 21:37:48 findmoore sshd[7965]: Failed password for root from
>61.80.30.13 port 42989 ssh2
.......

In comp.os.linux.networking <ONednQfZUb1GOFPfRVn-(E-Mail Removed)> YouCanToo <(E-Mail Removed)> wrote:
> Jul 6 21:37:48 findmoore sshd[7965]: Failed password for root from
> 61.80.30.13 port 42989 ssh2
> Jul 6 21:37:53 findmoore sshd[7968]: Failed password for root from
> 61.80.30.13 port 42976 ssh2
> Jul 6 21:37:54 findmoore sshd[7969]: Failed password for root from
> 61.80.30.13 port 42977 ssh2
> Jul 6 21:37:56 findmoore sshd[7977]: Invalid user admin from 61.80.30.13
> Jul 6 21:37:56 findmoore sshd[7977]: error: Could not get shadow
> information for NOUSER
> Jul 6 21:37:56 findmoore sshd[7977]: Failed password for invalid user
> admin from 61.80.30.13 port 43272 ssh2
> Jul 6 21:38:00 findmoore sshd[7988]: Invalid user david from 61.80.30.13

I've seen a lot of these on my systems. It looks like someone trying
a really dumb brute-force attack. You can do a few things to protect
yourself:

1) Make sure your sshd is up to the most recent version with all the
latest security fixes.
2) Lock out direct root logins, require people to come in as a normal
user and then su to root.
3) Lock out password access and require everyone to come in using a
public key. Nobody can guess passwords if sshd won't accept passwords
for login.
4) Identify the IP addresses or netblocks the attacks are coming from and,
if you don't need access from those same blocks yourself, firewall them
off or add deny entries in hosts.allow to block access to sshd from
those addresses/netblocks.

--
death.net: because for some problems there's only one solution.

Unruh wrote:

<snip>

>
>>I think they have used just about every name in the dictionary
>
> No, only about 30 of them.
>

Actually what I posted in my message was just a tiny part of the log
file. Beleive me wen I say they have used just about every word you can
think of. Including some of sexual nature.

YouCanToo wrote:
> Hi all,
>
> Can someone please help me better understand the following messages
> from my server log and possibility point me in the direction to help
> stop it in the future?
>
> I think they have used just about every name in the dictionary
>
> Thanks
>
>
> Jul 6 21:37:48 findmoore sshd[7965]: Failed password for root from
> 61.80.30.13 port 42989 ssh2
> Jul 6 21:37:53 findmoore sshd[7968]: Failed password for root from
> 61.80.30.13 port 42976 ssh2
> Jul 6 21:37:54 findmoore sshd[7969]: Failed password for root from
> 61.80.30.13 port 42977 ssh2

--- clip clip ---

This is a script kiddie trying to brute-force your SSH.

There are a couple of SSH break-in scripts in circulation
(no - I'm not going to give an URL).

Please check that your SSH is configured to deny root
logins. You can still remotely aqdminister your box by
using SSH with a normal user account and then using
su to gain root access.

You should consider moving SSH to another port. The
scripts seem to target the standard port (22) only.
A good candidate might be 60022.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

Morning,

On 2005-07-08, Todd Knarr <(E-Mail Removed)> wrote:
>
> I've seen a lot of these on my systems. It looks like someone trying
> a really dumb brute-force attack. You can do a few things to protect
> yourself:
>
Although dumb its effective. Working on an ISP helldesk we recently blocked
one of our users for scanning 200,000 hosts in port 22; in all probability he
had a weak username/password combination and someone ran a trojan on his
machine. We use snort to detect these things and pick up the results in the
morning for human decision making.

The amusing part about it is that the user knew they were blocked (we
high-jack the web browser to redirect them to a 'disabled' page explaining
whats happened) and so called asking if we could permit port 22 to be opened
to his machine so that he could remotely clean the machine. We explained we
could not do this as he was obviously infected with something trojan than
makes good use of port 22 and did it to scan/infect 200,000 machines. The
reply was golden, "whats port 22 used for"....WTF, *you* asked *us*...to but?

Needless to say I think we confirmed to ourselves the user believes in secure
passwords such as 'password' for the root account

> 1) Make sure your sshd is up to the most recent version with all the
> latest security fixes.
>
good advice, this was another thought of ours, an SSH daemon thats more than
a year or two old has a couple of very easy to remotely "get root" exploits.

> 2) Lock out direct root logins, require people to come in as a normal
> user and then su to root.
>
in /etc/ssh/sshd_config you should have a line that says 'PermitRootLogin
no'. Its well worth also having a 'wheel' account so that only a handful of
people that belong to the 'wheel' group can 'su' to root; on a Debian box I
like to make us of the 'staff'/'users' groups to double up as a 'wheel' flag;
anyone whos primary group is 'staff' can 'su'.

> 3) Lock out password access and require everyone to come in using a
> public key. Nobody can guess passwords if sshd won't accept passwords
> for login.
>
Extremely good advice however not logistically practical for everyone. If
only a few people administer the box then obviously this should be the
rule[1] however if its a box that used by "computer students" who seem to
spend more time playing Counterstrike rather than programming their projects
they seem to not be bearly able to comprend passwords[2]

> 4) Identify the IP addresses or netblocks the attacks are coming from and,
> if you don't need access from those same blocks yourself, firewall them
> off or add deny entries in hosts.allow to block access to sshd from
> those addresses/netblocks.
>
Depends strongly on your needs. If you are expected to maintain the box
whilst you are on holiday with a mobile phone in India for example, this is
not practical; if however the box should only be available to the
office/company/country[3] then block it; please make sure the firewall rule
is a REJECT[4]

Cheers

Alex

[1] http://cfm.gs.washington.edu/securit...client-pkauth/
[2] well this was the case I found whilst at Imperial College, London
[3] http://ip.ludost.net/
[4] http://support.metronet.co.uk/securi...hniques.xhtml1

Alexander Clouter <(E-Mail Removed)> writes:

>Morning,

>On 2005-07-08, Todd Knarr <(E-Mail Removed)> wrote:
>>
>> I've seen a lot of these on my systems. It looks like someone trying
>> a really dumb brute-force attack. You can do a few things to protect
>> yourself:
>>
>Although dumb its effective. Working on an ISP helldesk we recently blocked
>one of our users for scanning 200,000 hosts in port 22; in all probability he
>had a weak username/password combination and someone ran a trojan on his
>machine. We use snort to detect these things and pick up the results in the
>morning for human decision making.

>The amusing part about it is that the user knew they were blocked (we
>high-jack the web browser to redirect them to a 'disabled' page explaining
>whats happened) and so called asking if we could permit port 22 to be opened
>to his machine so that he could remotely clean the machine. We explained we
>could not do this as he was obviously infected with something trojan than
>makes good use of port 22 and did it to scan/infect 200,000 machines. The
>reply was golden, "whats port 22 used for"....WTF, *you* asked *us*...to but?
o


Well, not so stupid. port 22 is for INBOUND ssh connections. Outbound it
does not use port 22. And do you know that he was cracked on ssh, or was
his machine perhaps cracked in some other way?



>Needless to say I think we confirmed to ourselves the user believes in secure
>passwords such as 'password' for the root account

Alexander Clouter wrote:
> Morning,
>
> On 2005-07-08, Todd Knarr <(E-Mail Removed)> wrote:
>
>>I've seen a lot of these on my systems. It looks like someone trying
>>a really dumb brute-force attack. You can do a few things to protect
>>yourself:
>>
>
> Although dumb its effective. Working on an ISP helldesk we recently blocked
> one of our users for scanning 200,000 hosts in port 22; in all probability he
> had a weak username/password combination and someone ran a trojan on his
> machine. We use snort to detect these things and pick up the results in the
> morning for human decision making.
>
> The amusing part about it is that the user knew they were blocked (we
> high-jack the web browser to redirect them to a 'disabled' page explaining
> whats happened) and so called asking if we could permit port 22 to be opened
> to his machine so that he could remotely clean the machine. We explained we
> could not do this as he was obviously infected with something trojan than
> makes good use of port 22 and did it to scan/infect 200,000 machines. The
> reply was golden, "whats port 22 used for"....WTF, *you* asked *us*...to but?
>
> Needless to say I think we confirmed to ourselves the user believes in secure
> passwords such as 'password' for the root account
>
>
>>1) Make sure your sshd is up to the most recent version with all the
>> latest security fixes.
>>
>
> good advice, this was another thought of ours, an SSH daemon thats more than
> a year or two old has a couple of very easy to remotely "get root" exploits.
>
>
>>2) Lock out direct root logins, require people to come in as a normal
>> user and then su to root.
>>
>
> in /etc/ssh/sshd_config you should have a line that says 'PermitRootLogin
> no'. Its well worth also having a 'wheel' account so that only a handful of
> people that belong to the 'wheel' group can 'su' to root; on a Debian box I
> like to make us of the 'staff'/'users' groups to double up as a 'wheel' flag;
> anyone whos primary group is 'staff' can 'su'.
>
>
>>3) Lock out password access and require everyone to come in using a
>> public key. Nobody can guess passwords if sshd won't accept passwords
>> for login.
>>
>
> Extremely good advice however not logistically practical for everyone. If
> only a few people administer the box then obviously this should be the
> rule[1] however if its a box that used by "computer students" who seem to
> spend more time playing Counterstrike rather than programming their projects
> they seem to not be bearly able to comprend passwords[2]
>
>
>>4) Identify the IP addresses or netblocks the attacks are coming from and,
>> if you don't need access from those same blocks yourself, firewall them
>> off or add deny entries in hosts.allow to block access to sshd from
>> those addresses/netblocks.
>>
>
> Depends strongly on your needs. If you are expected to maintain the box
> whilst you are on holiday with a mobile phone in India for example, this is
> not practical; if however the box should only be available to the
> office/company/country[3] then block it; please make sure the firewall rule
> is a REJECT[4]
>
> Cheers
>
> Alex
>

Thanks for everybodys suggestions and help