bruteforce(what to do? )

venon

venon

Verified User
Joined
Jul 16, 2006
Messages
43
since friday I been getting this emails from firewall and all ips
are block but I would like to know what else I could do to stop this even that this guy will never guess my password he is making server go slow from time to time and I need to stop this .
any sugestion .


Aug 2 02:57:31 devils sshd[24966]: Failed password for invalid user shop from 125.135.199.140 port 47460 ssh2
Aug 2 02:57:33 devils sshd[24969]: User nobody from 125.135.199.140 not allowed because not listed in AllowUsers
Aug 2 02:57:33 devils sshd[24969]: Failed password for invalid user nobody from 125.135.199.140 port 43725 ssh2
Aug 2 02:57:34 devils sshd[24971]: Invalid user http from 125.135.199.140
Aug 1 21:37:44 devils sshd[18654]: Did not receive identification string from 202.107.200.93
Aug 1 21:37:44 devils sshd[18655]: Did not receive identification string from 202.107.200.93
Aug 1 21:37:44 devils sshd[18656]: Did not receive identification string from 202.107.200.93
Aug 1 21:44:04 devils sshd[19541]: Failed password for root from 202.107.200.93 port 44987 ssh2
Aug 1 21:44:06 devils sshd[19550]: Invalid user production from 202.107.200.93
Aug 1 21:44:06 devils sshd[19550]: Failed password for invalid user production from 202.107.200.93 port 45441 ssh2
Aug 1 21:43:49 devils sshd[19484]: reverse mapping checking getaddrinfo for ip-200-13-22-147-mx.marcatel.net.mx failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 1 21:43:52 devils sshd[19490]: reverse mapping checking getaddrinfo for ip-200-13-22-147-mx.marcatel.net.mx failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 1 21:43:52 devils sshd[19491]: reverse mapping checking getaddrinfo for ip-200-13-22-147-mx.marcatel.net.mx failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 1 21:43:56 devils sshd[19497]: reverse mapping checking getaddrinfo for ip-200-13-22-147-mx.marcatel.net.mx failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 1 21:43:59 devils sshd[19496]: reverse mapping checking getaddrinfo for ip-200-13-22-147-mx.marcatel.net.mx failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 1 21:43:59 devils sshd[19501]: reverse mapping checking getaddrinfo for ip-200-13-22-147-mx.marcatel.net.mx failed - POSSIBLE BREAK-IN ATTEMPT!



btw thanks I been learning a lot of news stuff in this site you guys Rocks.

:D
 
Change your SSHD port to a non-default one.
Do so by editing /etc/ssh/sshd_config and change the Port value to a different one, instead of 22.
Preferably one < 1024.
After that, be sure to keep logged into the current session, restart SSHD, open up a new session and see if you're able to login with the new port.
After that you can safely close the old session.
 
here is a copy and paste walkthrough for installing apf, bfd, and dos deflate.

http://www.evolution-security.com/modules.php?name=News&file=article&sid=167

bfd is what you need to ban brute force attempts.

But changing the port is a must, it will stop the attacks almost completely. Most of the brute force attacks you see are from hacked boxes scanning and trying on everything.

Try using bfd on standard ssh port a few days, it will ban a lot lol.
 
before I change port one question I see they scanning a lot of port but not the port 22 . why is that ?




bfd, and dos deflate already install TY
 
I dont have a clue what you mean.
Just change the port and you will see, they will stop almost completely.

I dont see why you would even wanna debate it, its your box do what you want. If you like havng bfd alert you 10 times a day then fine, keep it on standard port.

Of course you can find it with port scan but most of these zonbie servers and computers only go for 22.
 
not trying to debate I just want to learn from you guys .

I did the change in /etc/ssh/sshd_config to port 1024
save and reboot and for some reason only way in still port 22
I double check
/etc/ssh/sshd_config and is say port 1024

what I doing wrong ?


thanks for the help and sorry for my bad grammar english in not my main langue.
 
venon said:
not trying to debate I just want to learn from you guys .

I did the change in /etc/ssh/sshd_config to port 1024
save and reboot and for some reason only way in still port 22
I double check
/etc/ssh/sshd_config and is say port 1024

what I doing wrong ?


thanks for the help and sorry for my bad grammar english in not my main langue.
Click to expand...

Did you remove any "#" in front of it?
Else it will just ignore it.

Try lsof -i :22 / lsof -i :1024 to see what's running on those ports
 
thank you that was the problem now is working on a new port .


thanks again .
 
You must log in or register to reply here.
Back
Top