SSH failed login attempts

L

lodp

Verified User
Joined
Sep 30, 2007
Messages
11
Hi everyone,

I've been experiencing failed login attempts over SSH for a long time. Massive amounts of these in my /var/log/secure (which, btw, should be accessible from DA, shouldn't it?):

Dec 3 21:56:53 host sshd[20136]: input_userauth_request: invalid user sydney
Dec 3 16:56:55 host sshd[20134]: Failed password for invalid user sydney from ::ffff:65.254.49.98 port 32989 ssh2
Dec 3 21:56:55 host sshd[20136]: Failed password for invalid user sydney from ::ffff:65.254.49.98 port 32989 ssh2
Dec 3 21:56:55 host sshd[20136]: Received disconnect from ::ffff:65.254.49.98: 11: Bye Bye

Dec 3 22:14:11 host sshd[31901]: input_userauth_request: invalid user colin
Dec 3 22:14:13 host sshd[31901]: Failed password for invalid user colin from ::ffff:65.254.49.98 port 56097 ssh2
Dec 3 17:14:13 host sshd[31899]: Failed password for invalid user colin from ::ffff:65.254.49.98 port 56097 ssh2
Dec 3 22:14:13 host sshd[31901]: Received disconnect from ::ffff:65.254.49.98: 11: Bye Bye
Click to expand...

It seems to be trying common first names, but also standard logins (root, apache, ftp..). The IP switches after a couple of hundred attempts.

Now I decided to harden the server a bit by changing sshd_config. I switched to RSA key authentication-only, and disallowed root login. I limited ssh access to one user only (which i gave sudo permission), by specifying AllowUser: User in sshd_config.

Would you suggest anything else on top of that, or am I on the save side here? I found this incredibly complex script that blocks IPs for a couple of minutes after a custom number of failed login attempts: http://blinkeye.ch/mediawiki/index.php/SSH_Blocking

but it seemed like a pain to set up for the beginner. Are there any easy alternatives?
 
I used to get these all the time on another server that I had. When I built my new DA server, I decided to change the port that SSH listens on and I haven't had any of these since. Just make sure that if you change the port that you change any firewall rules that you might have setup.
 
I think I'm going to change the SSH port, and see whether there's any more attacks (which would mean that there's really somebody after me, not just picking some server randomly). i'm going to look into denyhosts in that case, thanks for pointing that out.

Since I changed the authentication to RSA-key-only, it seems the /var/log/secure entries for attacks haven't really changed:

Dec 5 03:05:09 host sshd[30155]: Invalid user guadalupe from ::ffff:67.202.23.150
Dec 5 08:05:09 host sshd[30156]: input_userauth_request: invalid user guadalupe
Dec 5 08:05:09 host sshd[30156]: Failed password for invalid user guadalupe from ::ffff:67.202.23.150 port 49061 ssh2
Dec 5 08:05:09 host sshd[30156]: Received disconnect from ::ffff:67.202.23.150: 11: Bye Bye
Click to expand...

It still says "Failed Password" -- but shouldn't the system reject password-based authentication attempts altogether, instead of checking whether user/pass combinations are valid? or is it just the wording of the log entries that's misleading?

EDIT: I tried changing my SSH port to a different value (52200) in sshd_config, and reloaded sshd.
netstat -nlt says it's listening on that port now, but I can't get a connection, it just times out:

ssh <user>@<ip> -p 52200
ssh: connect to host <ip> port 52200: Connection timed out
Click to expand...

telnet to that point doesn't work either. I suspected it might be my local firewall, but switching it off didn't change anything. Where do I go with this?
 
Last edited:
I don't know if this will help or not, but we use a port <= 1024.

Jeff
 
If you have root access to the box, then login as the root user and type:

Code: 
passwd username

Replace username with the name of the user you wish to change the password for.
 
i lost my root password

but my admin account is working fine in panel and SSH
 
The only way to change the root password is to have local access to the server.

Then you can boot your server in "single user mode" (how you do that differs depending on whether you use LILO or GRUB on linux, or if you use FreeBSD.

For instructions either use google or documentation from your OS provider.

Jeff
 
You must log in or register to reply here.
Back
Top