Brute force attack?

bloodline76 · 18 Jun 2009 at 15:42

Getting a few security errors coming up lately, anyone shed any light onto it?

Failed password for root from (IP) port (port number) ssh2

Googled it and says it could be a brute force attempt?

Advice appreciated

Thanks

tolien · 18 Jun 2009 at 15:46

It's nothing specific to you, just an automated scan that found your IP responding on port 22. How many failed logins are you getting?

Failed logins from:
61.152.201.69: 1 time
72.64.146.20 (static-72-64-146-20.tampfl.fios.verizon.net): 38 times
201.22.98.66 (gtipower.intra.com.br): 38 times
216.146.46.93 (flaviu.ro): 10 times
218.28.20.135 (pc0.zz.ha.cn): 80 times

Illegal users from:
72.64.146.20 (static-72-64-146-20.tampfl.fios.verizon.net): 450 times
201.22.98.66 (gtipower.intra.com.br): 450 times
216.146.46.93 (flaviu.ro): 10 times
218.28.20.135 (pc0.zz.ha.cn): 307 times

sshd:
Authentication Failures:
unknown (gtipower.intra.com.br): 450 Time(s)
unknown (static-72-64-146-20.tampfl.fios.verizon.net): 450 Time(s)
unknown (218.28.20.135): 307 Time(s)
root (218.28.20.135): 38 Time(s)
root (216.146.46.93): 10 Time(s)
unknown (216.146.46.93): 10 Time(s)
clamav (gtipower.intra.com.br): 8 Time(s)
clamav (static-72-64-146-20.tampfl.fios.verizon.net): 8 Time(s)
games (gtipower.intra.com.br): 8 Time(s)
games (static-72-64-146-20.tampfl.fios.verizon.net): 8 Time(s)
gnats (gtipower.intra.com.br): 6 Time(s)
gnats (static-72-64-146-20.tampfl.fios.verizon.net): 6 Time(s)
irc (gtipower.intra.com.br): 5 Time(s)
irc (static-72-64-146-20.tampfl.fios.verizon.net): 5 Time(s)
mysql (gtipower.intra.com.br): 4 Time(s)
mysql (static-72-64-146-20.tampfl.fios.verizon.net): 4 Time(s)
postfix (gtipower.intra.com.br): 4 Time(s)
postfix (static-72-64-146-20.tampfl.fios.verizon.net): 4 Time(s)
mysql (218.28.20.135): 3 Time(s)
postfix (218.28.20.135): 3 Time(s)
backup (218.28.20.135): 2 Time(s)
bin (218.28.20.135): 2 Time(s)
clamav (218.28.20.135): 2 Time(s)
daemon (218.28.20.135): 2 Time(s)
games (218.28.20.135): 2 Time(s)
gnats (218.28.20.135): 2 Time(s)
irc (218.28.20.135): 2 Time(s)
list (218.28.20.135): 2 Time(s)
lp (218.28.20.135): 2 Time(s)
mail (218.28.20.135): 2 Time(s)
news (218.28.20.135): 2 Time(s)
nobody (218.28.20.135): 2 Time(s)
proxy (218.28.20.135): 2 Time(s)
root (gtipower.intra.com.br): 2 Time(s)
root (static-72-64-146-20.tampfl.fios.verizon.net): 2 Time(s)
sshd (218.28.20.135): 2 Time(s)
sync (218.28.20.135): 2 Time(s)
sys (218.28.20.135): 2 Time(s)
uucp (218.28.20.135): 2 Time(s)
www-data (218.28.20.135): 2 Time(s)
root (61.152.201.69): 1 Time(s)
www-data (gtipower.intra.com.br): 1 Time(s)
www-data (static-72-64-146-20.tampfl.fios.verizon.net): 1 Time(s)
Invalid Users:
Unknown Account: 1217 Time(s)

bloodline76 · 18 Jun 2009 at 15:57

tolien said:
It's nothing specific to you, just an automated scan that found your IP responding on port 22. How many failed logins are you getting?

Only had a few over the last few days. Just checking the numbers, but its happened on three different occassions over two days.

How would I get that information?

osc89er · 18 Jun 2009 at 15:59

3 is a little low for a brute force attack...

bloodline76 · 18 Jun 2009 at 16:04

osc89er said:
3 is a little low for a brute force attack...

Yeah but that 3 seperate attempts of multiple failed

tolien · 18 Jun 2009 at 17:01

bloodline76 said:
How would I get that information?

What I pasted is from Logwatch on Linux.

bloodline76 · 18 Jun 2009 at 17:12

tolien said:
What I pasted is from Logwatch on Linux.

Oh im on windows.