I have noticed several attempts to login in tmy box via ssh, daily, using the username test, guest, and root. Checking google, their have been dozens of similar reports. They say it is a scaning worm or other malware. Has anyone noticed these attacks in you system logs? Another thing is that it comes from seemingly random ips making it hard to just block the attacker. Has anyone found a way to stop them without stopping ssh? Will a simple stealthing of ssh work?

Rather than trying to specifically block the attacker, approach it from the other direction. Block everyone other than the specific IP's (or ranges) you want to have SSH access. This is very easy to do in iptables. and will effectively stealth your SSH port to any other IP address.

Presumably with a service like SSH there are only a limited number of users/IP's you need to give remote shell access to.

Ned

thats easy to do on standard linux box, but how do you do that on a linksys router, wrt54g, thats forwarding ssh to another box? Its gui is a bit simple. perhaps I should experiment with some of those custom distros for it.

Yep. Been getting that for about a week on one of my internet server boxes.. Most have been comming from the same IP in Korea to mine so far..

Been noticing a spike in the attempts to brute force spam in also, been getting about 80 to 100 hits a day for the last few days from one marketing company that is appearing to be sending emails to my domain on that box and working its way up through user names trying to hit a combination that doesnt bounce..
The daily logs are showing huge amounts (compared to 'normal') bounced msgs to the domain.. And they arent 'typcal' bounces (mispellings, etc).
I'm gathering a couple logs together and going to send a complaint to them, and if I dont get a response (dont expect one really) I'm going to attempt to track who they are getting their ISP through..

try to play with sshd's config file : http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
especially the options
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for us-
er names that match one of the patterns. `*' and `?' can be used
as wildcards in the patterns. Only user names are valid; a nu-
merical user ID is not recognized. By default, login is allowed
for all users. If the pattern takes the form USER@HOST then USER
and HOST are separately checked, restricting logins to particular
users from particular hosts.

HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful public key client host authentication is
allowed (hostbased authentication). This option is similar to
RhostsRSAAuthentication and applies to protocol version 2 only.
The default is ``no''.

kf6kmx: can i have the IP of the attacker ???
:D :D :D
time to have some fun

its not just one, pico. It is a worm or other walware that has infected multiple computers, because I usually get attacked from several ips each day.

The email spammer I keep getting blasted with mail by shows in the logs as:
adafuf@noduescruisers.org
from exodus.contactdesigns.com [64.242.33.55]
And the part in front of the @ (username) rotates through apparently random variations.
In the log for just the 9th there are approximate 80 entries.. All are from contactdesigns.com (who is a marketing company.. )
And each day there are about another 70-80 log entries all the same, with various user@ portions...
I dont know if it has anything to do with it, but we moved the noduescruisers.org domain from a YahooHosting account to our server here.. I'm thinking its related to the former Yahoo service.. None of the other domains on the same server (and same IP address) are being affected.


The realy attempts for the 9th were:
Relaying denied:
From [222.101.168.114] to china9988@21cn.com: 1 Times(s)
From [222.101.168.94] to china9988@21cn.com: 1 Times(s)
From [61.34.177.38] to china9988@21cn.com: 2 Times(s)
From [61.73.87.142] to china9988@21cn.com: 1 Times(s)


Relay attempts for the 10th were:
Relaying denied:
From [211.230.18.46] to china9988@21cn.com: 1 Times(s)
From [222.101.168.114] to china9988@21cn.com: 2 Times(s)
From [222.101.168.32] to china9988@21cn.com: 1 Times(s)
From [222.101.168.94] to china9988@21cn.com: 3 Times(s)


Who the heck is china9988@21cn.com?? Is that a worm originator trying to relay home their spoils.. or just some shmuck that a worm REALLY wants to shut down?


As far as the SSHD attacks, they are logging as:
--------------------- SSHD Begin ------------------------


Failed logins from these:
guest/password from 216.20.110.141: 1 Time(s)
test/password from 216.20.110.141: 1 Time(s)

**Unmatched Entries**
Illegal user test from 216.20.110.141
Illegal user guest from 216.20.110.141

---------------------- SSHD End -------------------------

The "211.230.18.46" is from kornet.net and that domain is notorious for attempting to use open mail relays to send spam. So those are attempts to open port 25 and use a mail server.

The SSHD logins are from "Merrimack Education Center" - after doing a quick Google on them, I'm tempted to believe this is one of their students trying to hack into systems. You might want to send them a note about it (bajgot@mec.edu for the Administrative Contact).

dig and whois are good tools to find out what's going on with IP addresses.

T
dig and whois are good tools to find out what's going on with IP addresses.

Agreed :)

I regularly send the logs from my router to the relavent ISP's of these idiots. The better ISP's will trace the user and either warn or ban them.

Who the heck is china9988@21cn.com?? Is that a worm originator trying to relay home their spoils.. or just some shmuck that a worm REALLY wants to shut down?


That mailaddress, and some more I'm afraid, are adresses used to detect open mail relays.
If a message makes it to one of those accounts the spammer (?) knows which server he (or she for that matter) can be misused to relay the **** through.

It has nothing to do with the login attempts via SSH.

People always try to do stuff like this, it is to be expected.

The ssh thing, I personally only allow a group or a certian set of users to logon via ssh... So any attempts to get in on root/guest/admin/test is irrelivent to me. Even if i had accounts like some of those they wouldn't get to use ssh.


For the email miners.... Well, for people like that... Reporting them isn't going to do you much good. The courts don't seem to care too much about this kind of thing thus leaving it to vigilante justice if you really want to do something to them. Sometimes you can find their provider's rules and point out to their provider that they are ignoring their TOS agreement and they might shut them down. But usually nobody cares. For me, I just keep a table of rejected ip's that I add their relays to when i see that come up in the logs.

One thing you might want to think about doing with the email miners is turn off the response code for unkown users. That way they don't get anything back about what is actually there and what is not and sometimes stop trying to scan you because of it.

so what is the best way (besides the firewall) in protecting the system? i dont have server my i am pretty sure i want to protect my system...

i also know about firestarter but dont use at all just the fc2 firewall...

I use freebsd for my firewall. The firewall commands and config file looks alot like cisco pix firewall. I also use it for vpn as well.

I guess linux has arrived - hackers are trying to break into our systems.

Anybody out there that allows root login to their box needs to change that immediately. As for a linksys router, if it can't do simple IP address filters, replace it with a cisco or something else that works. There have been many posts and how-to's that explain that all unused services should be shutoff, iptables should be turned on, don't let root login, turn off telnet, smtp, etc. if you're not using it. Looks like everyone needs to pay more attention to this.

I guess linux has arrived - hackers are trying to break into our systems.
I think that's a bit of a mischaracterization - they're trying to break into any machine. Get a few tens of thousands of "zombies" working for you and you can make some money leasing them to spammers... :mad:

or you cam use them for massive distributed computing like folding or seti. there was a article about selling zombies recently on slashdot.org they also use them to ddos other like the whole sco thing.
also, using automation to attack *nix is nothing new. thats how they do ddos attacks. little windows machines don't have enough bandwidth, so they go after big *nix servers. linux hasn't arrived, it been here for about ten years.

I guess linux has arrived - hackers are trying to break into our systems.

Anybody out there that allows root login to their box needs to change that immediately. As for a linksys router, if it can't do simple IP address filters, replace it with a cisco or something else that works. There have been many posts and how-to's that explain that all unused services should be shutoff, iptables should be turned on, don't let root login, turn off telnet, smtp, etc. if you're not using it. Looks like everyone needs to pay more attention to this. I suggest if you don't want to spend alot of money of cisco router check www.freebsd.org. They run really nice firewall. Plus its free. :D

Anyone else seeing traffic from 218.148.109.236 = www.nic.or.kr ?

For checking addresses: http://www.samspade.org

Scads - that's Korea, where there's not only rampant broadband, but rampant pirated copies of Winblows that probably haven't been updated with patches because M$ might catch them... so to speak. Virus, worms, and Windows - oh my!

My solution to minimize these problems is this: I use Firewall Builder (fwbuilder.org) on my router/server to build my server's iptables policies. I have blocked all ssh access to the server from the outside (I have no use for that, actually). Made the server drop pings and trace routes and changed the reject behaviour to "host unreachable". With these modest measures (besides virtually blocking all access from the oubound interface) I've noticed that more clever attack attempts are easier to spot. The only thing that worries me is that I have yet to set vsftpd to chroot users to their ~/'s and NOT allow navigation of the root of the filesystem. Currently that's the only evident vulnerability I'm aware of on my server (there may others in software or the kernel's ipfilter that elude me). For my needs these rules work just fine. If needed ssh access from the outside to the server, maybe I'd probably (as others already said) set only one address or at most a set or group of addresses. Just wanted to add my 2¢