Re: ssh - possible break-in attempt - what should I do?



On 2007-05-07, Yvan office <me@xxxxxxxxxxx> wrote:

I have setup ssh on my home box so I can login from office. I've setup
passwordless login with private and public key, and it works as I want.

But yesterday I looked at /var/log/auth.log and found a lot of:

Apr 30 09:09:52 localhost sshd[5400]: Invalid user admin1 from \
124.42.8.138
Apr 30 09:10:36 localhost sshd[5422]: Invalid user html from \
124.42.8.138
Apr 30 09:11:12 localhost sshd[5443]: Invalid user html from \
124.42.8.138
Apr 30 09:11:56 localhost sshd[5463]: Invalid user user1 from \
124.42.8.138

... and so on, or:

Apr 30 17:08:49 localhost sshd[7532]: Invalid user test from \
200.73.5.173
Apr 30 17:08:49 localhost sshd[7532]: reverse mapping checking \
getaddrinfo for host173.200.73.5.static.ifxnw.cl failed\
POSSIBLE BREAK-IN ATTEMPT!

... or:

Apr 30 21:23:14 localhost sshd[8260]: Did not receive \
identification string from 147.46.222.250

... or:

Apr 30 23:53:44 localhost sshd[8591]: User root from 222.35.72.2\
not allowed because none of user's groups are listed in \
AllowGroups


It all seems that break-in was not successful, but should I do
something? I get a lot of this probes.

And so you will as long as you have port 22 listening. If you only
connect to ssh from work, you can restrict access to ssh to only your
employer's address block. Do also disable remote root logins from ssh;
if you need to use root remotely, log in as a regular user and su to
root or use sudo. Use strong passwords, and keep scanning the logs.


--

John (john@xxxxxxxxxxx)
.



Relevant Pages

  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: Linux hacked
    ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • RE: Linux hacked
    ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
    (Security-Basics)
  • Re: X11Forwarding, ssh -X, and /bin/su
    ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
    (comp.security.ssh)
  • RE: Linux hacked
    ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
    (Security-Basics)