Attempting breach?

[corbywan]

I checked my secure.log and say several lines like this.

Dec 8 22:01:40 exchangechurch sshd[20829]: Invalid user director from 201.217.215.66
Dec 8 22:01:40 exchangechurch sshd[20833]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 8 22:01:40 exchangechurch sshd[20829]: error: PAM: authentication error for illegal user director from 201-217-215-66-host.ifx.net.co via 10.0.1.2
Dec 8 22:01:40 exchangechurch sshd[20829]: Failed keyboard-interactive/pam for invalid user director from 201.217.215.66 port 41439 ssh2

Is this someone trying to hack into my server?

 

[Alrescha]

Is this someone trying to hack into my server?

If you are connected to the Internet, you can be assured that someone, either intentionally or accidentally, is always trying to log into your server.

A.

 

[corbywan]

I knew that, I just want to be able to identify it better.

 

[shadyMedia]

I Have been getting allot of this right not to combat it I have just disabled SSH
Were running a New Mac Mini Server we noticed that pretty much right at 11:30 pm EST The CPU load will jump to sometimes %40 once we disable SSH connections everything calms back down

Were looking into steps on how to block it and how to make sure everything is working ok

Ether Apple's Software Firewall or a 3rd party Firewall

What are you guys thinks?

 

[shadyMedia]

Just a taste of mine




Dec 9 11:37:43 server sshd[55810]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:37:43 server sshd[55806]: error: PAM: authentication error for illegal user ftpuser from 58.247.222.163 via 10.0.1.2
Dec 9 11:37:43 server sshd[55806]: Failed keyboard-interactive/pam for invalid user ftpuser from 58.247.222.163 port 55947 ssh2
Dec 9 11:40:41 server sshd[55871]: Invalid user ftpuser from 135.196.243.201
Dec 9 11:40:41 server sshd[55875]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:40:41 server sshd[55871]: error: PAM: authentication error for illegal user ftpuser from 135.196.243.201 via 10.0.1.2
Dec 9 11:40:41 server sshd[55871]: Failed keyboard-interactive/pam for invalid user ftpuser from 135.196.243.201 port 51986 ssh2
Dec 9 11:43:36 server sshd[55922]: Invalid user gabi from 201.217.215.66
Dec 9 11:43:36 server sshd[55926]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:43:36 server sshd[55922]: error: PAM: authentication error for illegal user gabi from 201-217-215-66-host.ifx.net.co via 10.0.1.2
Dec 9 11:43:36 server sshd[55922]: Failed keyboard-interactive/pam for invalid user gabi from 201.217.215.66 port 46040 ssh2
Dec 9 11:46:55 server sshd[55982]: Invalid user gabi from 190.136.177.61
Dec 9 11:46:55 server sshd[55996]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:46:56 server sshd[55982]: error: PAM: authentication error for illegal user gabi from host61.190-136-177.telecom.net.ar via 10.0.1.2
Dec 9 11:46:56 server sshd[55982]: Failed keyboard-interactive/pam for invalid user gabi from 190.136.177.61 port 3525 ssh2
Dec 9 11:49:32 server sshd[56041]: reverse mapping checking getaddrinfo for 65-114-92-158.ussonet.net [65.114.92.158] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 9 11:49:32 server sshd[56041]: Invalid user gabo from 65.114.92.158
Dec 9 11:49:32 server sshd[56045]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:49:32 server sshd[56041]: error: PAM: authentication error for illegal user gabo from 65.114.92.158 via 10.0.1.2
Dec 9 11:49:32 server sshd[56041]: Failed keyboard-interactive/pam for invalid user gabo from 65.114.92.158 port 21662 ssh2
Dec 9 11:55:30 server sshd[56183]: reverse mapping checking getaddrinfo for bt-212-231.bta.net.cn [202.106.212.231] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 9 11:55:30 server sshd[56183]: Invalid user gabriela from 202.106.212.231
Dec 9 11:58:30 server sshd[56238]: Invalid user gabriele from 211.115.234.143
Dec 9 11:58:30 server sshd[56242]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:58:30 server sshd[56238]: error: PAM: authentication error for illegal user gabriele from 211.115.234.143 via 10.0.1.2
Dec 9 11:58:30 server sshd[56238]: Failed keyboard-interactive/pam for invalid user gabriele from 211.115.234.143 port 41563 ssh2
Dec 9 12:01:29 server sshd[56333]: Invalid user gaby from 194.78.48.108
Dec 9 12:01:29 server sshd[56337]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 12:01:30 server sshd[56333]: error: PAM: authentication error for illegal user gaby from 108.48-78-194.adsl-static.isp.belgacom.be via 10.0.1.2
Dec 9 12:01:30 server sshd[56333]: Failed keyboard-interactive/pam for invalid user gaby from 194.78.48.108 port 30490 ssh2

 

[nullx86]

looks like both OP and above post have the same IP... if your really paranoid, do an IP trace on it

 

[AdamR01]

http://www.sshguard.net/

I've only ever used it with OpenBSD, but it says it works with OS X. Works great.

 

[OMGWTFBBQ]

http://www.sshguard.net/

I've only ever used it with OpenBSD, but it says it works with OS X. Works great.

Thanks for the link, I'm going to give this a shot.

 

[TXbug]

There is a way around this without disabling SSH. On your router, port forward from an oddball port number, not already assigned. Make up a number. Then have the router forward it to port 22 on the IP of your server/computer. You may have to disable port 22 on the router.

Then you ssh using -p oddball port number

It works every time. These guys are trying to do a brute force breakin using ssh on port 22. This change will stop that dead.

 

[timd.mackey]

Help getting sshguard to work on Mac

Could anyone here run through how they got sshguard set up on their machines? I'm running Snow Leopard, and I got sshguard installed using macports, but I'm not sure how to get it set up properly. How do I turn it on?

 

[Eric-PTEK]

Doesn't the server have a lock out policy?

We did a test on our web servers at the data center(Win2K8R2) without a lockout policy we had over 14,000 attempts to break in within 4 days without a lock out policy.

Put the lock out policy and now they can only do 60 attempts a day, if they happen to figure out the admin name.

 

[Les Kern]

Is this someone trying to hack into my server?

ssxt.mlp/k0900-0

 

[OMGWTFBBQ]

Could anyone here run through how they got sshguard set up on their machines? I'm running Snow Leopard, and I got sshguard installed using macports, but I'm not sure how to get it set up properly. How do I turn it on?

Were you ever able to figure this out? If so, can you give me detailed instructions of installing it? I've done it the macports way, but I want the version from the website. The macports version is called sshguard-ipfw...

Thanks

 

[micm]

Were you ever able to figure this out? If so, can you give me detailed instructions of installing it? I've done it the macports way, but I want the version from the website. The macports version is called sshguard-ipfw...

The MacPorts version is called sshguard-ipfw because it is sshguard, compiled with the "ipfw" backend (which is the firewall OS X offers). So technically it is sshguard as from the website, just a bit outdated -- the maintainer is probably waiting for 1.5 to be released after the paranoid-long release candidate line

So if you install from the MacPorts, you should get a message printed after installing, going:

###########################################################
# A startup item has been generated that will aid in
# starting sshguard-ipfw with launchd. It is disabled
# by default. Execute the following command to start it,
# and to cause it to launch at startup:
#
# sudo port load sshguard-ipfw
###########################################################

just run that command and then "ps" will show you sshguard running on the system.

The MacPort is well done and convenient because it installs the OS X startupitem for you. However, there are many changes in sshguard since version 1.4. You can still compile and install a newer version yourself; then it's easy to run it e.g. with the log sucker.

 

[mrubioroy]

The MacPort is well done and convenient because it installs the OS X startupitem for you. However, there are many changes in sshguard since version 1.4. You can still compile and install a newer version yourself; then it's easy to run it e.g. with the log sucker.

Hi micm,
I've compiled the 1.5rc4 sources without problems, but when it comes to create the launchd plist file I'm not managing to get it work. Could you paste the MacPort plist file or the sshguard-ipfw script? Where should I put the plist file on? I've been trying in /Library/LaunchAgents but when I launchctl load it I don't see it with "ps".

Thanks!

Miguel

 

[robvas]

There are many things you can do to enhance SSH security.

Disable password logins. You will have to store the key on the computer you wish to access your server from remotely.

Disallow root users! Also, you can only allow certain users SSH access.

Limit login attempts to 1

Force SSH protocol version 2

The sshd_config file has a bunch of options you can set.

 

[mlts22]

There are many things you can do to enhance SSH security.

Disable password logins. You will have to store the key on the computer you wish to access your server from remotely.

Disallow root users! Also, you can only allow certain users SSH access.

Limit login attempts to 1

Force SSH protocol version 2

The sshd_config file has a bunch of options you can set.

Here is what I do to lock down ssh:

1: Consider having a hardened host just for ssh-ing, or require a VPN connection.

2: Oddball ports are OK, but any blackhat worth their salt will find them.

3: If you can, disable password and interactive authentication, and use RSA keys. This blocks out password brute forcing. Another item to consider is using one time passwords or SecurID cards.

4: If you know the range of IPs that people use for sshing in, limit the access to that. I use this in combination with a VPN service like strongvpn.com so no matter where I am, my IP range will be known to the server.

5: As stated above, sshguard is an immense help. You want to keep a lid on attempts.

6: This goes without saying. Disallow access to root. This way, an attacker has to compromise a user account, then find a priv escalation, rather than just be handed the keys to the city.

7: Have a strong hardware router/VPN/firewall. At the minimum an AEBU or a unified security gateway like http://tinyurl.com/2bmr6vn, or one of its bigger brothers. If the blackhats cannot reach the machine, they can't compromise it.

8: Keep good backups. If your server gets compromised, you will have to reinstall completely, so it can't hurt to keep good backups of everything. Ideally, a completely locked down backup server that is a separate machine would be the best, so a blackhat that compromises the server won't be able to mess with the already stored backups.