[opensuse] Possible SSH attacker?
Hello, I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar): 2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 terminal=? res=success' Have I to be worried? Tks, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Aug 21, 2015 at 5:32 PM, Marco Calistri <marco.calistri@yahoo.com.br> wrote:
As far as I know, this is audit message logged by sshd when it destroys run-time session keys. So if IP or the fact of remote connection are not expected it may mean someone is probing your server. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Il 21/08/2015 12:04, Andrei Borzenkov ha scritto:
Hi Andrei, Thanks for your comments, then it is the second option you told since I don't recognize these connections at all :-/ Cheers, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/21/2015 07:32 AM, Marco Calistri wrote:
I'm not familiar with that particular message, but the fact that 125.121.146.24 is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP? Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne Pá 21. srpna 2015 08:23:57, Lew Wolfgang napsal(a):
I run on server denyhosts and fail2ban blocking attempts again SSH for tens of hours or days. Every day server blocks at least 10 IPs, mainly from China, Russia and South America... There are also packages logwatch and logwarn helping You to trace those probes. It reports also attacks/probing against Apache/CMS (like Drupal) and so on. Sincerely, Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
Il 21/08/2015 12:38, Vojtěch Zeisek ha scritto:
Thanks! -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning. I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block. Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.) I think most of the failed attempt try to login as root. I also have all root ssh access disabled. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/21/2015 08:44 AM, Greg Freemyer wrote:
Hi Greg, I too see LOTS of login attempts from China on public-facing ssh servers, but in my case most are using non-root logins. I've been using blockhosts, but last year I got tired of seeing thousands of entries in the table so I entered all known China IP CIDR blocks. Now I'm down to about 100 actively blocked IP's plus about 100 "watched" IP's. But being unfamiliar with the OP's message report and not knowing his configuration, I'd be worried and would look further. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/21/2015 10:35 AM, Lew Wolfgang wrote:
I've seen these too, and got tired of them filling my logs, even though I rate-limit via Shorewall, and failtoban. (Ever growing ban lists slow things down). I've reduced these incidences by moving my external facing ssh to a different high port. I see virtually no attempts any more. None of these attempts ever got in, because I scan logs for successful ssh logins and don't allow plaintext passwords. So this is mostly just keeping the log small. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-08-21 20:13, John Andersen wrote:
I've seen these too, and got tired of them filling my logs, even though I rate-limit via Shorewall, and failtoban. (Ever growing ban lists slow things down).
You can do it with iptables. There is a setting in the SuSEfirewall2 file for it. It runs in RAM. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/21/2015 12:07 PM, Carlos E. R. wrote:
Carlose: I'm sure you realize the both susefirewall and shorewall do nothing but manage iptables rules and install them as the interface is booted. Never the less, a huge ban list slows EVERY packet, as each must be checked against the ban list. Banning entire subnets is more efficient. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXXeBMACgkQv7M3G5+2DLJdGwCfcs7I44B2g3G4kzXYZ1CtMiV8 bsIAn08/ddSuIxK4cydUm9XvFdAXEMSa =GG81 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-08-21 21:12, John Andersen wrote:
Of course I do. But in this case, it is a single rule. There is no log watching, no modification of rules or adding lists as the intruders are found. This solution works at the kernel level. FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" That's all. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 08/21/2015 09:12 PM, John Andersen wrote:
One note to all those kinds of solution, i.e., something reading the logs and inserting an entry into iptables: on virtual servers, the resources might be rather limited. E.g. on mine at 1und1, I've even seen a situation where the whole virtual server wasn't reachable anymore due to a bigger iptables list - neither via ssh nor via any other port like that of apache. I don't remember exactly, but I think that limit was surprisingly small ... like 128 blocked IPs. The most effective things are * to move to a different port, * to disallow password authentication, * to enable only 1 certain user (not 'root', obvisouly). On top of that, one may run fail2ban or similar solutions, but I think you won't get more than one entry per week. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/24/2015 08:27 AM, Bernhard Voelker wrote:
If that is true then this is not a feasible solution at all. Ideally for something like that to function it would have to have an efficient search, an array or sorted list for the first field (for IPv4) with another beneath (that's 64k references) and sorted lists or even linked lists beneath that. Checking for a match would then take 2 array lookups and a binary search. Or two array lookups, a shift, a bucket lookup, a search within the bucket. But doing a linear search along a long list; that is not really specialised or workable functionality :-/. There is something called ipset that does this thing with lightning speed: https://forums.gentoo.org/viewtopic-t-863121.html My current firewall tool (Vuurmuur) just adds individual rules to a BLOCKLIST input chain which lists all the IPs individually: BLOCK all -- 182.100.67.59 anywhere BLOCK all -- anywhere 182.100.67.59 BLOCK all -- 23.30.65.218.broad.xy.jx.dynamic.163data.com.cn anywhere BLOCK all -- anywhere 23.30.65.218.broad.xy.jx.dynamic.163data.com.cn BLOCK all -- 45.114.11.54 anywhere BLOCK all -- anywhere 45.114.11.54 Moreover, it adds 2 rules per IP address, one incoming and one outgoing. In "ipset" it would all be replaced by a single rule. I have yet to find out how to enable this. Regards, Bart.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/08/15 18:35, Lew Wolfgang wrote:
One partial solution is to move your ssh port to a non-standard one, eg. an unused higher number port. These attacks will almost certainly be aimed at port 22. Bob - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXXam4ACgkQ0Sr7eZJrmU4/ewCghoLkoywCraeHnA+enAPgFSkR 0MYAn23w4vFe7F9bWJbnqIeF3xC5fI9w =tgZP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Il 21/08/2015 12:44, Greg Freemyer ha scritto:
Greg, Interesting! This app., fail2ban is it difficult to setup? Thanks also to point out the important detail about ssh root access, I will give a check to my ssh configuration. It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it! Regards, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-08-21 21:52, Marco Calistri wrote:
It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it!
Means it is safe ;-) However, do you really need to have ssh enabled to Internet on your laptop? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Il 21/08/2015 17:13, Carlos E. R. ha scritto:
:-) Hope so! Now I also disabled root Login which is enabled by default.
However, do you really need to have ssh enabled to Internet on your laptop?
Not really but sometimes I use to login remotely to do some basic things as zypper ref; zypper up for example. And note that my machine is not up 24/24. Cheers, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-08-21 23:27, Marco Calistri wrote:
Il 21/08/2015 17:13, Carlos E. R. ha scritto:
Well, but that can surely wait to do that till you are in front of the laptop :-) As it is only you who need access it, and not others, the simplest measure is to change the port to somewhere high. It defeat most, except those that scan all ports to find which is open. If you use a router to connect to internet, you can probably map some high port in the router WAN, and send it to the laptop on the normal ssh port. Even home units can do this. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlXXofIACgkQja8UbcUWM1z0WAD/XLB/5BUqVJOOngyAJaNBvl48 KdzTldjBPuVpToBAy6sA+wTNfujWq5Qy8+I8qzXkXL04imGloZjxDLDY06Brc2Jl =Dw3H -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Il 21/08/2015 19:10, Carlos E. R. ha scritto:
True and safe suggestions Carlos. In any case, since I let the laptop online very seldom I think that I can keep running this way, at least until a chinese cracker delete my entire filesystem :-O Cheers, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne Pá 21. srpna 2015 16:52:06, Marco Calistri napsal(a):
No, check http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Il 24/08/2015 07:50, Vojtěch Zeisek ha scritto:
Tks! - -- Marco Calistri opensuse 13.2 (Tumbleweed) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXbSOwACgkQi4zJuA3lyFfFNACfbIXJWhIC1AXjAInhBzOTa4Yz PGgAn1ZsecalRpcw6P9lQ8A22OY7wqEe =bpXA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Il 21/08/2015 12:23, Lew Wolfgang ha scritto:
Yes Lew, I have sshd enabled because I use it to login remotely my laptop from time time. I have not check any further in other logs. Thanks. -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Aug 21, 2015 at 5:32 PM, Marco Calistri <marco.calistri@yahoo.com.br> wrote:
As far as I know, this is audit message logged by sshd when it destroys run-time session keys. So if IP or the fact of remote connection are not expected it may mean someone is probing your server. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Il 21/08/2015 12:04, Andrei Borzenkov ha scritto:
Hi Andrei, Thanks for your comments, then it is the second option you told since I don't recognize these connections at all :-/ Cheers, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/21/2015 07:32 AM, Marco Calistri wrote:
I'm not familiar with that particular message, but the fact that 125.121.146.24 is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP? Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Andrei Borzenkov -
Bernhard Voelker -
Bob Williams -
Carlos E. R. -
Dsant -
Greg Freemyer -
John Andersen -
Lew Wolfgang -
Marco Calistri -
Vojtěch Zeisek -
Xen