hi All, I happened to login to one of my servers today and saw 96000 failed login attempts. shown below is the address its coming from. I added it to my firewall to drop. Failed password for root from 123.183.209.135 port 14299 ssh2 FYI - others might be seeing it also. Jerry
I can confirm that this IP had been actively and repeatedly hitting honeypots in the community honeypot network I'm a part of. On Mon, Nov 27, 2017 at 11:10 AM, Jerry Geis <jerry.geis at gmail.com> wrote:> hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 123.183.209.135 port 14299 ssh2 > > FYI - others might be seeing it also. > > Jerry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On Mon, November 27, 2017 11:10 am, Jerry Geis wrote:> hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 123.183.209.135 port 14299 ssh2 > > FYI - others might be seeing it also.It happens all the time on all UNIX and Linux machines during last over 2 decades. This is why some of us, sysadmins, use various ways to protect our users (we all realize that out of 100 users there always are at least 5 who have very weak passwords and whose passwords can be cracked in brute force attack like that). Some of the tools are: fail2ban, sshguard. The last one I use on my FreeBSD servers. On Linux workstations I usually use just firewall rule that restricts similar attempts to some number. And I run server under assumption that bad guys are already in. Which (in addition to other security measures) means: update, update, update... Good luck! Use strong passwords (passphrase I call it when I talk to my users), especially for root account. Valeri> > Jerry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:> hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 123.183.209.135 port 14299 ssh2 > > FYI - others might be seeing it also. >As others have said, it's normal: dictionary based brute forcing of root; and no surprise that that IP is based in China. Welcome to the Internet. Primarily you need to make sure your root password is strong so it isn't vulnerable to this sort of attack. If it is, then the most nasty thing about this sort of thing is that your logs fill up. For your sanity then you can do the following: - disallow ssh root logins by password (login as an unprivileged user or use keys) - run something like fail2ban which will block a host for a predetermined amount of time after a number of failures. - don't run ssh on 22, use a different port. (Things get a lot quieter when you do that, but it comes with it's own problems and don't get complacent because someone will find the port eventually.) - if you only have a limited number of hosts or subnets logging in to your machine, adjust the firewall so that only they are allowed through. P.
And if you're really security conscious consider using port knocking (knock server - amazingly easy to set up. Or use fwknop, a little more difficult to set up but not much. Finally, for the hard core who really like pain - write the iptables rules yourself). ----- Original Message ----- From: "Pete Biggs" <pete at biggs.org.uk> To: "centos" <centos at centos.org> Sent: Monday, November 27, 2017 11:53:30 AM Subject: Re: [CentOS] Failed attempts On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:> hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 123.183.209.135 port 14299 ssh2 > > FYI - others might be seeing it also. >As others have said, it's normal: dictionary based brute forcing of root; and no surprise that that IP is based in China. Welcome to the Internet. Primarily you need to make sure your root password is strong so it isn't vulnerable to this sort of attack. If it is, then the most nasty thing about this sort of thing is that your logs fill up. For your sanity then you can do the following: - disallow ssh root logins by password (login as an unprivileged user or use keys) - run something like fail2ban which will block a host for a predetermined amount of time after a number of failures. - don't run ssh on 22, use a different port. (Things get a lot quieter when you do that, but it comes with it's own problems and don't get complacent because someone will find the port eventually.) - if you only have a limited number of hosts or subnets logging in to your machine, adjust the firewall so that only they are allowed through. P. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
Pete Biggs wrote:> On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote: >> hi All, >> >> I happened to login to one of my servers today and saw 96000 failed >> login attempts. shown below is the address its coming from. I added itto my>> firewall to drop. >> >> Failed password for root from 123.183.209.135 port 14299 ssh2 >> >> FYI - others might be seeing it also. >> > As others have said, it's normal: dictionary based brute forcing of > root; and no surprise that that IP is based in China. Welcome to the > Internet.As opposed to, say, Brazil (yes, for some reason, a lot hit us from there).> > Primarily you need to make sure your root password is strong so it > isn't vulnerable to this sort of attack. If it is, then the most nasty > thing about this sort of thing is that your logs fill up. > > For your sanity then you can do the following: > > - disallow ssh root logins by password (login as an unprivileged user > or use keys)If you're not doing the above, you should start doing that... about 10 years ago. Disallow root login except via keys this very minute, and do it everywhere.> > - run something like fail2ban which will block a host for a > predetermined amount of time after a number of failures.We've been running fail2ban at work for a good bunch of years, and I run it at home. It's good, and std. repo.> > - don't run ssh on 22, use a different port. (Things get a lot > quieter when you do that, but it comes with it's own problems and don't > get complacent because someone will find the port eventually.)I consider that pointless security-through-obscurity.> > - if you only have a limited number of hosts or subnets logging in to > your machine, adjust the firewall so that only they are allowed > through.Yep. And iptables rules are not that big a deal to write. mark
On 11/27/2017 12:10 PM, Jerry Geis wrote:> hi All, > > I happened to login to one of my servers today and saw 96000 failed login > attempts. shown below is the address its coming from. I added it to my > firewall to drop. > > Failed password for root from 123.183.209.135 port 14299 ssh2 > > FYI - others might be seeing it also. >You're going to see this probably quite a lot on a server that has port 22 open to the world.? All the linux boxes I have internet accessible have a couple of things setup to prevent a lot of that: Lock down SSH to accept only login requests from one IP (or a range, but I prefer a single IP most of the time if I can manage it). Use a non-standard SSH port (and not a variation like 2222 or some such, just make sure you remember what it is). Fail2ban is your friend. Seriously though, Fail2Ban is simply amazing.? It will block IPs using IPtables without needing to write your own rules.? Will email you a log if you like.? And will generally help you sleep better at night.? I've got a couple of web servers that I have running Fail2Ban with a maximum of 3 failed logins and once that's reached, the IP is blocked for a week.? An hour just won't cut it nowadays, IMHO.? It's pretty trivial to setup and uses very little in resources. -- Mark Haney Network Engineer at NeoNova 919-460-3330 option 1 mark.haney at neonova.net www.neonova.net
On Mon, November 27, 2017 1:22 pm, Mark Haney wrote:> On 11/27/2017 12:10 PM, Jerry Geis wrote: >> hi All, >> >> I happened to login to one of my servers today and saw 96000 failed >> login >> attempts. shown below is the address its coming from. I added it to my >> firewall to drop. >> >> Failed password for root from 123.183.209.135 port 14299 ssh2 >> >> FYI - others might be seeing it also. >> > You're going to see this probably quite a lot on a server that has port > 22 open to the world.?? All the linux boxes I have internet accessible > have a couple of things setup to prevent a lot of that: > > Lock down SSH to accept only login requests from one IP (or a range, but > I prefer a single IP most of the time if I can manage it). > Use a non-standard SSH port (and not a variation like 2222All ports above 1023 on UNIX and Linux systems can be opened by regular user, without requiring root access to the machine. Therefore, this always was considered potential security risk. One more comment about obscuring ssh service by running it on non-standard port (e.g. any port but 22). In my book this constitutes "security by obscurity", which all my sysadmin colleagues were considering "windows - like" way of dealing with problems. (Think about pushing the trash on the floor under carpet).> or some such, > just make sure you remember what it is). > Fail2ban is your friend. > > Seriously though, Fail2Ban is simply amazing.Exactly. And some other measures already mentioned in this thread (sshguard, iptables rulesets, ...) Valeri>?? It will block IPs using > IPtables without needing to write your own rules.?? Will email you a log > if you like.?? And will generally help you sleep better at night.?? I've > got a couple of web servers that I have running Fail2Ban with a maximum > of 3 failed logins and once that's reached, the IP is blocked for a > week.?? An hour just won't cut it nowadays, IMHO.?? It's pretty trivial to > setup and uses very little in resources. > > -- > Mark Haney > Network Engineer at NeoNova > 919-460-3330 option 1 > mark.haney at neonova.net > www.neonova.net > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Hi Valeri,> Good luck! Use strong passwords (passphrase I call it when I talk to my > users), especially for root account.if possible: Do not use passwords at all. Disable password login, and replace by SSH private/public key authentication, and, again if possible, with OTP (two factor authentication) on top. All the other hints (disallow root access via SSH, use strong passwords, port knocking, different ports etc.) just put the hurdle a bit higher but do not solve the underlying problem: Password authentication is weak by design, as it relies on the well-behaviour of users. Don't restrict their passwords and they'll use simple ore easily-guessible ones. Restrict them and they will write them down. Cheers, Pete.