Received attempts to ssh to my server

Support for security such as Firewalls and securing linux
Post Reply
netizen_69
Posts: 5
Joined: 2007/08/29 08:02:16

Received attempts to ssh to my server

Post by netizen_69 » 2007/09/04 04:29:49

Hi there,

Been receiving a lot of attempts to ssh to my server

Refer to some fo the log content



[i]Failed logins from these:
adm/password from 211.247.239.237: 6 Time(s)
admin/password from 211.247.239.237: 16 Time(s)
admin/password from 218.38.55.188: 2 Time(s)
admin/password from 81.98.213.210: 4 Time(s)
apache/password from 81.98.213.210: 1 Time(s)
clamav/password from 81.98.213.210: 1 Time(s)
ftp/password from 81.98.213.210: 1 Time(s)
games/password from 81.98.213.210: 1 Time(s)
mail/password from 81.98.213.210: 1 Time(s)
root/password from 218.38.55.188: 3 Time(s)
59.14.210.244: 146 times
71.129.106.56: 41 times
124.115.244.36: 145 times
212.23.234.197 (www.rzz.ch): 46 times
adm/password from 202.127.97.111: 1 Time(s)
admin/password from 202.127.97.111: 10 Time(s)
admin/password from 218.108.231.56: 2 Time(s)
apache/password from 202.127.97.111: 1 Time(s)
apache/password from 218.108.231.56: 1 Time(s)
ftp/password from 202.127.97.111: 1 Time(s)
ftp/password from 218.108.231.56: 1 Time(s)
games/password from 202.127.97.111: 1 Time(s)
httpd/password from 202.127.97.111: 1 Time(s)
mail/password from 202.127.97.111: 4 Time(s)
mysql/password from 202.127.97.111: 4 Time(s)
mysql/password from 218.108.231.56: 1 Time(s)
named/password from 218.108.231.56: 1 Time(s)
news/password from 202.127.97.111: 4 Time(s)
nobody/password from 202.127.97.111: 1 Time(s)
root/password from 201.3.192.62: 1 Time(s)
root/password from 202.127.97.111: 121 Time(s)
root/password from 218.108.231.56: 4 Time(s)
root/password from 81.191.236.2: 3 Time(s)
sshd/password from 202.127.97.111: 3 Time(s) [/i]


Other than disabling my ssh when not in use.
Is there any other method/s where I can block those IP addresses, complaint to etc?
Other than block them, any advice how I can protect or harden my server further from such attacks or attack attempts? :-x

They may not be successful now, but who knows, one they they might just get through. :-o

Somehow I believe the IP address are not the actual IP address where the hack originate.
Just got the guts feeling, it originate from somewhere else, and those addresses could be the addresses of compromised PCs or servers.
A number of the IP keep repeating tho..


Help please....

azca
Posts: 174
Joined: 2006/06/03 18:06:13
Location: Peoria, AZ USA

Received attempts to ssh to my server

Post by azca » 2007/09/04 05:41:25

Changing the default port 22 in /etc/ssh/sshd_config would help.

http://kbase.redhat.com/faq/FAQ_45_10101.shtm

Find an open port:

# netstat -an|grep 1234

If the output is empty, then that port should be good to use.

Just remember to open the new port in your firewall, and do NOT logout of your current ssh session until you have tested the new configuration.

Also see:
http://lists.centos.org/pipermail/centos/2006-January/059104.html

And the following message about disabling root login and using the AllowUsers keyword.

Also change:
Protocol 2,1
-to-
Protocol 2

Also see:
man sshd_config

And as far as blocking IPs - yeah, if they're from someplace you don't care about, and they're just trying to hack, then firewall them.

netizen_69
Posts: 5
Joined: 2007/08/29 08:02:16

Re: Received attempts to ssh to my server

Post by netizen_69 » 2007/09/04 06:58:21

Thank you for the prompt reply. :-D

Changes to the ssh port has been made based on http://www.iana.org/assignments/port-numbers
I just choose one of the port which is presently not use by my system.

Now time to monitor if any more new attempt/s

Once again.
Thank you.

azca
Posts: 174
Joined: 2006/06/03 18:06:13
Location: Peoria, AZ USA

Re: Received attempts to ssh to my server

Post by azca » 2007/09/04 07:18:43

You're welcome! You should see the bogus login attempts fall nicely now. :hammer:

BTW - Nice find on the iana.org port-numbers. Thanks.

Post Reply

Return to “CentOS 4 - Security Support”