failed password for "root" in logs

I get NUMEROUS amounts of "failed password for root" messages in my www
servers logfile. So I think someone is trying to connect to it via SSH and
trying different passwords and its not surely me.
My password is such they cant guess but I'm still little worried. If not
else, then the size of my logfile!

But there's nothing I can do, maybe, except disable SSH but I dont want to
do that..

-----
Check out the New Album
http://cutout.ath.cx
Listen my music at
http://www.rocketradio.com/mrjason
Get my previous CD East End
http://www.cdbaby.com/mrjason

In article <429a0433$0$26748$(E-Mail Removed)>, Mr.Jason wrote:
> I get NUMEROUS amounts of "failed password for root" messages in my www
> servers logfile. So I think someone is trying to connect to it via SSH and
> trying different passwords and its not surely me.
> My password is such they cant guess but I'm still little worried. If not
> else, then the size of my logfile!
>
> But there's nothing I can do, maybe, except disable SSH but I dont want to
> do that..

You could always disable root logins via ssh and allow it only for one
user and the use su command to become root.

-grun-

On Sun, 29 May 2005 21:04:41 +0300, Mr.Jason wrote:
> I get NUMEROUS amounts of "failed password for root" messages in my www
> servers logfile. So I think someone is trying to connect to it via SSH and
> trying different passwords and its not surely me.
> My password is such they cant guess but I'm still little worried. If not
> else, then the size of my logfile!
>
> But there's nothing I can do, maybe, except disable SSH but I dont want to
> do that..

Then put allowed ip addresses in /etc/hosts.allow for sshd.
Or add allowed ip addresses in firewall for ssh port.

"Mr.Jason" escribió:
>
> I get NUMEROUS amounts of "failed password for root" messages in my www
> servers logfile. So I think someone is trying to connect to it via SSH and
> trying different passwords and its not surely me.
> My password is such they cant guess but I'm still little worried. If not
> else, then the size of my logfile!
>
> But there's nothing I can do, maybe, except disable SSH but I dont want to
> do that..

ssh login for root can be disabled:

http://forums1.itrc.hp.com/service/f...hreadId=799090

Just log as normal user and run 'su -' if needed.

--
Regards,

Carles Arjona (E-Mail Removed) ( nospammer IS my real username )

Thanks! That's very useful tip! I bet this increases server security quite a
bit.
Now I let them try again.. hehee

Do you think I should decrease grace period and tweak the sshd config file a
bit more?

Mr.Jason

> ssh login for root can be disabled:
>
> http://forums1.itrc.hp.com/service/f...hreadId=799090
>
> Just log as normal user and run 'su -' if needed.
>
> --
> Regards,
>
> Carles Arjona (E-Mail Removed) ( nospammer IS my real username )

Mr.Jason wrote:
> Thanks! That's very useful tip! I bet this increases server security quite a
> bit.
> Now I let them try again.. hehee
>
> Do you think I should decrease grace period and tweak the sshd config file a
> bit more?
>
> Mr.Jason
>
>
>>ssh login for root can be disabled:
>>
>>http://forums1.itrc.hp.com/service/f...hreadId=799090
>>
>>Just log as normal user and run 'su -' if needed.
>>
>>--
>>Regards,
>>
>>Carles Arjona (E-Mail Removed) ( nospammer IS my real username )
>
>

If you're tired for the log bloat coming from these script
kiddies, consider moving SSH to some other port. It did
calm the break-in attempts in my server. (Of course the
direct 'root' login is prohibited).

--

Tauno Voipio
tauno voipio (at) iki fi

> If you're tired for the log bloat coming from these script
> kiddies, consider moving SSH to some other port. It did
> calm the break-in attempts in my server. (Of course the
> direct 'root' login is prohibited).

How come! I was just thinking about doing that!
Yes I have prohibited direct root login.

And greetings from Espoo by the way.
Mr.Jason

>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi
>
>

> Then put allowed ip addresses in /etc/hosts.allow for sshd.
> Or add allowed ip addresses in firewall for ssh port.
(make sure the default is DROP so they don't know you're there)

and

PasswordAuthentication no

which forces them to have an SSH key.
I have also turned off V1 since the time when there was an exploit that
everyone was trying to use. I know it's fixed, but configuring this way
cuts down on the noise.

Mr.Jason wrote:
> I get NUMEROUS amounts of "failed password for root" messages in my www
> servers logfile. So I think someone is trying to connect to it via SSH and
> trying different passwords and its not surely me.
> My password is such they cant guess but I'm still little worried. If not
> else, then the size of my logfile!
>
> But there's nothing I can do, maybe, except disable SSH but I dont want to
> do that..
>

To get the connection to your other thread: thats not an attack, its
"noise". Every ssh-daemon on my servers is tested all the time.
Automated bots do this when they are bored (cause they dont have to run
a DDOS-attack)

The messages should appear in your ssh-logs and not in your www-logs
when its from sshd.
If its in your www-logs, then its testing your www-server.
It could also be an attack against your ftp-server (if you run one) and
then its more serious, cause most ftp-servers are much weaker than
openssh or apache. Thats why scp is much better than ftp if you are the
only user on your server.

best,
peter

ps: imho ssh is not vulnerable against brute-force, cause the
network-negotiation takes to much time. ssh is vulnerable against social
engeneering if password-auth is enabled.

I do not use ip-ranges or key-only on my sshd, causes sometimes you need
to access from somewhere where you dont have your key with you. And
carrying the key all the time is a bad idea for people like me, cause I
tend to loose things. And a lost private-ssh-key is vulnerable against
brute-force and dictionary-attacks again.


--
http://www.goldfisch.at/know_list

On 2005-05-30, Allen McIntosh <(E-Mail Removed)> wrote:
>
>> Then put allowed ip addresses in /etc/hosts.allow for sshd.
>> Or add allowed ip addresses in firewall for ssh port.
> (make sure the default is DROP so they don't know you're there)
>
yeah thats a great idea, its like burning all the maps in the world so that
burglars cannot break into your home, its ingenious! The number of attacks I
have had on my system that have been successful against closed ports, well
its been the bane of my life..... Thank for this tip....</sarcasim>

> and
>
> PasswordAuthentication no
>
> which forces them to have an SSH key.
> I have also turned off V1 since the time when there was an exploit that
> everyone was trying to use. I know it's fixed, but configuring this way
> cuts down on the noise.
>
this however is actually a good idea....

Cheers

Alex