SSH - getting a lot hacking attempts

feenster99

feenster99

feenster99

Associate
Joined
19 Jun 2003
Posts
1,680
Location
West Yorks, UK
Hi all,

I have a Ubuntu 6.06LTS Server running sshd. I have "real" users conencting and sending data to me, but i'm finding I am having a lot of break-in attempts too - people putting obvious names like "admin" and "test" and of course "root", and trying to break in.

I have opened port 22 on my firewall and forwarded it to the Linux server. The real users are connecting on port 22 - i've noticed the break-in attempts are on high ports around 3000-4500 or so. Unfortunately, my users don't have static WAN addresses, so I can't restrict access that way. Is there anything else I can do to protect the server and its data from being attacked?

Matt
 
Thanks guys. I'm not sure if I can change the port, as I am using a distribution of RSync for Windows to send the data - ill have to check that up.

I don't understand about the high ports thing either. Port 22 is open on the router, but in auth.log, the failed attempts all try to connect to port 3000-4500 or so. No idea how that works!

What are the default accounts that can be turned off? Root is set so that no remote logins are allowed for starters. Anything else I can disable?

Matt
 
The port numbers are reported in /var/log/auth.log - it tells me when authentication has failed, and what port they were connecting on.

I have installed the "Firestarter" firewall to try and monitor it a bit more, but I can't be bothered staying up until 3am when all these attacks happen ;)

Every real user has a /.ssh/authorized_keys file in their home folder, which was generated at their end with "ssh-keygen -t rsa", with no passphrase and then rsync'ed onto the server. Am I able therefore, to do what you are suggesting?
 
Here are some sample lines from my Auth.log then:
Code: 
Oct  6 02:52:40 localhost sshd[18243]: Failed password for invalid user delta from 202.54.138.5 port 1686 ssh2
Oct  6 02:52:45 localhost sshd[18248]: Failed password for invalid user admin from 202.54.138.5 port 1909 ssh2
Oct  6 02:52:51 localhost sshd[18253]: Failed password for invalid user test from 202.54.138.5 port 2066 ssh2
Oct  6 02:52:57 localhost sshd[18262]: Failed password for invalid user testing from 202.54.138.5 port 2266 ssh2
Oct  6 02:53:02 localhost sshd[18272]: Failed password for invalid user tester from 202.54.138.5 port 2432 ssh2
Oct  6 02:53:07 localhost sshd[18281]: Failed password for invalid user academy from 202.54.138.5 port 2585 ssh2
Oct  6 02:53:12 localhost sshd[18290]: Failed password for invalid user protector from 202.54.138.5 port 2747 ssh2
Oct  6 02:53:16 localhost sshd[18299]: Failed password for daemon from 202.54.138.5 port 2902 ssh2
Oct  6 02:53:21 localhost sshd[18307]: Failed password for invalid user skylyn from 202.54.138.5 port 3046 ssh2
Oct  6 02:53:27 localhost sshd[18316]: Failed password for invalid user guest from 202.54.138.5 port 3207 ssh2
Oct  6 02:53:32 localhost sshd[18326]: Failed password for invalid user webmaster from 202.54.138.5 port 3369 ssh2
Oct  6 02:53:36 localhost sshd[18336]: Failed password for invalid user master from 202.54.138.5 port 3516 ssh2
Oct  6 02:53:41 localhost sshd[18346]: Failed password for invalid user masters from 202.54.138.5 port 3669 ssh2
Oct  6 02:53:46 localhost sshd[18354]: Failed password for mysql from 202.54.138.5 port 3808 ssh2
Oct  6 02:54:00 localhost sshd[18364]: Failed password for invalid user oracle from 202.54.138.5 port 3966 ssh2
Oct  6 03:30:00 localhost sshd[21614]: reverse mapping checking getaddrinfo for host81-130-215-202.in-addr.btopenworld.com failed - POSSIBLE BREAKIN ATTEMPT!
Oct  6 03:41:54 localhost sshd[22588]: reverse mapping checking getaddrinfo for host81-130-215-202.in-addr.btopenworld.com failed - POSSIBLE BREAKIN ATTEMPT!

As you can see, the port numbers are all high up the range.

Matt
 
Heres the output:
Code: 
netstat -l | grep ssh

tcp6       0      0 *:ssh                   *:*                     LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     13078    /tmp/ssh-JsBqYL5726/a                                      gent.5726

Does the provide any clues? I'm a bit of a Newbie to all this ;)

Matt
 
Result of netstat -l. Seems to be a lot of ports opened?:
Code: 
:~$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:mysql         *:*                     LISTEN
tcp        0      0 localhost:submission    *:*                     LISTEN
tcp        0      0 *:5900                  *:*                     LISTEN
tcp        0      0 localhost:60335         *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 localhost:smtp          *:*                     LISTEN
tcp        0      0 localhost:43737         *:*                     LISTEN
tcp6       0      0 *:www                   *:*                     LISTEN
tcp6       0      0 *:ssh                   *:*                     LISTEN
udp        0      0 *:xdmcp                 *:*
udp        0      0 192.168.8.6:ntp         *:*
udp        0      0 localhost:ntp           *:*
udp        0      0 *:ntp                   *:*
udp6       0      0 *:ntp                   *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     669443   /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     11141    /tmp/.gdm_socket
unix  2      [ ACC ]     STREAM     LISTENING     11187    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     12556    /var/run/sendmail/mta/smcontrol
unix  2      [ ACC ]     STREAM     LISTENING     13078    /tmp/ssh-JsBqYL5726/agent.5726
unix  2      [ ACC ]     STREAM     LISTENING     13102    /tmp/orbit-administrator/linc-168f-0-79c398cb729d0
unix  2      [ ACC ]     STREAM     LISTENING     13112    /tmp/orbit-administrator/linc-165e-0-97c11b18580c
unix  2      [ ACC ]     STREAM     LISTENING     13248    /tmp/.ICE-unix/5726
unix  2      [ ACC ]     STREAM     LISTENING     13257    /tmp/keyring-wvgLv2/socket
unix  2      [ ACC ]     STREAM     LISTENING     13269    /tmp/orbit-administrator/linc-1694-0-7ab299b892d35
unix  2      [ ACC ]     STREAM     LISTENING     13293    /tmp/orbit-administrator/linc-1696-0-299946a2e4541
unix  2      [ ACC ]     STREAM     LISTENING     13301    /tmp/.esd-1000/socket
unix  2      [ ACC ]     STREAM     LISTENING     13329    /tmp/orbit-administrator/linc-169d-0-43920cf28254c
unix  2      [ ACC ]     STREAM     LISTENING     13384    /tmp/orbit-administrator/linc-16a0-0-58108cb1bd899
unix  2      [ ACC ]     STREAM     LISTENING     13413    /tmp/orbit-administrator/linc-16a7-0-73c5cd747e460
unix  2      [ ACC ]     STREAM     LISTENING     13435    /tmp/orbit-administrator/linc-16ab-0-73c5cd74a83a9
unix  2      [ ACC ]     STREAM     LISTENING     13463    /tmp/orbit-administrator/linc-16a9-0-66eba9bc889b
unix  2      [ ACC ]     STREAM     LISTENING     13497    /tmp/orbit-administrator/linc-16b2-0-66eba9bc533c6
unix  2      [ ACC ]     STREAM     LISTENING     13520    /tmp/orbit-administrator/linc-16bb-0-74ff9523770fb
unix  2      [ ACC ]     STREAM     LISTENING     13549    /tmp/orbit-administrator/linc-16b4-0-66eba9bc8f8c2
unix  2      [ ACC ]     STREAM     LISTENING     13575    /tmp/orbit-administrator/linc-16b7-0-66eba9bcbf7fd
unix  2      [ ACC ]     STREAM     LISTENING     13604    /tmp/orbit-administrator/linc-16c7-0-14bed6423d0f2
unix  2      [ ACC ]     STREAM     LISTENING     13651    /tmp/mapping-administrator
unix  2      [ ACC ]     STREAM     LISTENING     13675    /tmp/orbit-administrator/linc-16d4-0-28702d117d0bc
unix  2      [ ACC ]     STREAM     LISTENING     13709    /tmp/orbit-administrator/linc-16df-0-49865172866b1
unix  2      [ ACC ]     STREAM     LISTENING     535945   /tmp/orbit-administrator/linc-5ac1-0-531952d392348
unix  2      [ ACC ]     STREAM     LISTENING     17918    /tmp/orbit-administrator/linc-879-0-65084d8d998a8
unix  2      [ ACC ]     STREAM     LISTENING     17956    /tmp/orbit-administrator/linc-87d-0-25785a3762eec
unix  2      [ ACC ]     STREAM     LISTENING     18011    /tmp/orbit-administrator/linc-887-0-439944c22f9f4
unix  2      [ ACC ]     STREAM     LISTENING     18063    /tmp/orbit-root/linc-88c-0-2da618e07fbae
unix  2      [ ACC ]     STREAM     LISTENING     18070    /tmp/orbit-root/linc-888-0-ca575e28222a
unix  2      [ ACC ]     STREAM     LISTENING     18092    /tmp/.esd-0/socket
unix  2      [ ACC ]     STREAM     LISTENING     11396    @/tmp/hald-local/dbus-Ucvpayl5wU
unix  2      [ ACC ]     STREAM     LISTENING     20035    /tmp/orbit-administrator/linc-f03-0-1f113e16ecf63
unix  2      [ ACC ]     STREAM     LISTENING     20067    /tmp/orbit-administrator/linc-f06-0-4ddddf4b41b4f
unix  2      [ ACC ]     STREAM     LISTENING     20108    /tmp/orbit-administrator/linc-f0a-0-7309d16378d92
unix  2      [ ACC ]     STREAM     LISTENING     11373    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     13083    @/tmp/dbus-ZoyHwRCksy
unix  2      [ ACC ]     STREAM     LISTENING     12668    /var/run/sdp
unix  2      [ ACC ]     STREAM     LISTENING     1203595  /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     17292    /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     11397    @/tmp/hald-runner/dbus-2fdQHjiBZC

Matt
 
You must log in or register to reply here.
Back
Top Bottom