ssh: Repeated intrusion attempts

From: Robert S (robert.spam.me.senseless_at_gmail.com)
Date: 05/02/05

  • Next message: Lars Roland: "Silence apt-get for real"
    To: debian-user@lists.debian.org
    Date: Mon, 2 May 2005 19:27:08 +1000
    
    

    Today I found hundreds of the following in my /var/log/auth.log:

    May 2 08:12:01 debian sshd[16918]: Could not reverse map address
    64.132.35.43.
    May 2 08:12:04 debian sshd[16920]: Could not reverse map address
    64.132.35.43.
    May 2 08:12:06 debian sshd[16922]: Could not reverse map address
    64.132.35.43.

    This is occasionally punctuated with the following:

    May 2 08:12:47 debian sshd[16955]: User XXXX not allowed because none of
    user's groups are listed in AllowGroups

    Where XXXX is a valid user name on my system - who is denied access via ssh.

    Occasionally I get

    May 2 07:59:30 debian PAM_unix[16273]: authentication failure; (uid=0) ->
    YYYY for ssh service
    May 2 07:59:32 debian sshd[16273]: Failed password for YYYY from
    64.132.35.43 port 39023 ssh2
    May 2 07:59:35 debian sshd[16275]: Could not reverse map address
    64.132.35.43.

    Where YYYY is a user who has permission to log in remotely via ssh.

    There seem to be bursts of this sort of activity every day or two, from
    different addresses.

    I only have a very limited number of users who are able to log in through
    ssh, and the users who can have good passwords, so I assume that the chance
    of a successful breakin is low.

    What concerns me is that the attackers seem to be able to retrieve the names
    of users on my system. How do they do that, and how can I prevent it?

    I am running Woody, with up-to-date patches, behind a cheap hardware
    firewall-router. Open ports are 22 (sshd), 25 (sendmail), 80 (apache), 443
    (apache-ssl), 993 (courier-imap over ssl) and 995 (courier-pop over ssl).

    -- 
    To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
    

  • Next message: Lars Roland: "Silence apt-get for real"

    Relevant Pages

    • ssh: Repeated breakin attempts
      ... May 2 08:12:04 debian sshd: Could not reverse map address ... for ssh service ... May 2 07:59:32 debian sshd: Failed password for ...
      (comp.os.linux.security)
    • Re: Install Debian 4.0 to watch DVD video
      ... >>> If I want to another linux box connect to the Debian box using ssh, ... I see the ssh has ... >>> already in the debian box, but I guess it is the ssh client, not sshd. ... reinstall or better purge and install to recreate all missing config ...
      (Debian-User)
    • Re: ssh communication issue
      ... But, when we ssh from the internet, there are long pauses where i/o is not displayed/echoed to the screen on our Debian servers. ... Are you coming from machines that don't have proper reverse DNS entries on the new Debian machines, whereas the old SCO machine has a proper reverse DNS entry?) ...
      (Debian-User)
    • Re: ssh verso macchine virtuali Parallels
      ... pur avendo cercato di far funzionare tutto, non mi riesce di usare SSH ... da una macchina virtuale Linux Debian su Parallels. ... la Debian viene vista dal Mac stesso come collegata su 10.211.55.13 ...
      (it.comp.macintosh)
    • Re: Install Debian 4.0 to watch DVD video
      ... >>> before and has no problem to network connection. ... I did mean to use dhcp. ... Not sure why doesn't work in Debian. ... I see the ssh has ...
      (Debian-User)