# [SSH] Multiples connexions (sans bruteforce)

## Bio

Mon serveur est régulièrement victime de tentatives de connexions et notamment de bruteforce ssh, par contre je n'avais jamais rien vu de tel que les logs suivants. Je ne sais pas trop quoi en penser, autant de tentatives de connexions provenant d'hôtes différents en seulement 3 heures de temps. Je n'héberge pas de service et/ou données sensibles donc je suis un peu surpris.

Qu'en pensez vous? Dois-je être inquiet?

```
May  6 23:37:38 localhost sshd[7862]: refused connect from ::ffff:200.241.233.130 (::ffff:200.241.233.130)

May  6 23:44:16 localhost sshd[7894]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: 85-92-131-183.twiki.magsoft.nl != 85-92-131-181.magsoft.nl

May  6 23:44:16 localhost sshd[7894]: refused connect from user@::ffff:85.92.131.183 (::ffff:85.92.131.183)

May  6 23:46:21 localhost sshd[7901]: refused connect from LSt-Amand-152-33-4-70.w82-127.abo.wanadoo.fr (::ffff:82.127.35.70)

May  6 23:48:55 localhost sshd[7910]: refused connect from mutlb164055.smarttadsl.com (::ffff:69.67.164.55)

May  6 23:51:40 localhost sshd[7931]: refused connect from 28-248-114-200.fibertel.com.ar (::ffff:200.114.248.28)

May  6 23:53:22 localhost sshd[7937]: refused connect from ns01.zerojoy.net (::ffff:66.76.241.57)

May  6 23:56:06 localhost sshd[7946]: refused connect from iw4.internetdsl.tpnet.pl (::ffff:80.53.126.4)

May  6 23:57:54 localhost sshd[7953]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: ftp.marpress.com.br != webmail.marpress.com.br

May  6 23:57:55 localhost sshd[7953]: refused connect from ::ffff:201.28.216.115 (::ffff:201.28.216.115)

May  7 00:02:26 localhost sshd[7981]: refused connect from simon@211-22-140-146.HINET-IP.hinet.net (::ffff:211.22.140.146)

May  7 00:05:01 localhost sshd[7989]: refused connect from 62.43.205.67.static.user.ono.com (::ffff:62.43.205.67)

May  7 00:06:54 localhost sshd[7998]: refused connect from p12028-ipbffx02marunouchi.tokyo.ocn.ne.jp (::ffff:222.147.75.28)

May  7 00:09:30 localhost sshd[8007]: refused connect from eli18.internetdsl.tpnet.pl (::ffff:83.15.142.18)

May  7 00:12:01 localhost sshd[8027]: refused connect from ::ffff:85.232.25.213 (::ffff:85.232.25.213)

May  7 00:13:59 localhost sshd[8034]: refused connect from foyer18rt.net1.nerim.net (::ffff:213.41.153.174)

May  7 00:16:43 localhost sshd[8043]: refused connect from mail.moldes.com.pe (::ffff:200.62.177.91)

May  7 00:18:27 localhost sshd[8049]: refused connect from LSt-Amand-152-33-4-70.w82-127.abo.wanadoo.fr (::ffff:82.127.35.70)

May  7 00:22:53 localhost sshd[8076]: refused connect from mail.atlas.com.tw (::ffff:61.63.6.144)

May  7 00:25:18 localhost sshd[8084]: refused connect from mail.inveda.net (::ffff:81.169.156.95)

May  7 00:25:30 localhost sshd[8085]: refused connect from 80.179.15.227.static.012.net.il (::ffff:80.179.15.227)

May  7 00:26:59 localhost sshd[8090]: refused connect from 80.179.15.227.static.012.net.il (::ffff:80.179.15.227)

May  7 00:28:04 localhost sshd[8094]: error: PAM: Authentication failure for illegal user root from adsl-66-159-198-155.dslextreme.com

May  7 00:28:04 localhost sshd[8094]: Failed keyboard-interactive/pam for invalid user root from 66.159.198.155 port 50746 ssh2

May  7 00:30:02 localhost sshd[8104]: refused connect from mailtest@i195160.ppp.asahi-net.or.jp (::ffff:61.125.195.160)

May  7 00:32:26 localhost sshd[8124]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207

.in-addr.arpa, AF_INET) failed

May  7 00:32:26 localhost sshd[8124]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)

May  7 00:34:20 localhost sshd[8130]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(69-64-65-35.dedicated.abac.net, AF_INET) failed

May  7 00:34:21 localhost sshd[8130]: refused connect from ::ffff:69.64.65.35 (::ffff:69.64.65.35)

May  7 00:36:49 localhost sshd[8139]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: ns2.glai.de != piripiri051.webperoni.de

May  7 00:36:49 localhost sshd[8139]: refused connect from ::ffff:80.190.233.22 (::ffff:80.190.233.22)

May  7 00:38:54 localhost sshd[8146]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(customer123-181-213.iplannetworks.net, AF_INET) failed

May  7 00:38:55 localhost sshd[8146]: refused connect from ::ffff:200.123.181.213 (::ffff:200.123.181.213)

May  7 00:41:33 localhost sshd[8166]: refused connect from static-dsl-102.213-160-166.telecom.sk (::ffff:213.160.166.102)

May  7 00:43:30 localhost sshd[8173]: refused connect from static-dsl-102.213-160-166.telecom.sk (::ffff:213.160.166.102)

May  7 00:45:54 localhost sshd[8182]: refused connect from eli18.internetdsl.tpnet.pl (::ffff:83.15.142.18)

May  7 00:48:37 localhost sshd[8191]: refused connect from foyer18rt.net1.nerim.net (::ffff:213.41.153.174)

May  7 00:50:27 localhost sshd[8209]: refused connect from 195.47.114.129.adsl.nextra.cz (::ffff:195.47.114.129)

May  7 00:52:58 localhost sshd[8218]: error: PAM: Authentication failure for illegal user root from adsl-66-159-198-155.dslextreme.com

May  7 00:52:58 localhost sshd[8218]: Failed keyboard-interactive/pam for invalid user root from 66.159.198.155 port 49581 ssh2

May  7 00:57:25 localhost sshd[8235]: refused connect from TROYMIMNDS0A910.mcleodusa.net (::ffff:209.254.234.18)

May  7 00:59:19 localhost sshd[8241]: refused connect from confixx.fernuni-hagen.de (::ffff:132.176.85.100)

May  7 01:04:23 localhost sshd[8271]: refused connect from r01.glglgl.eu (::ffff:89.149.208.141)

May  7 01:06:30 localhost sshd[8279]: refused connect from ::ffff:66.99.53.142 (::ffff:66.99.53.142)

May  7 01:09:11 localhost sshd[8288]: refused connect from webserver.janel.com.mx (::ffff:201.134.245.78)

May  7 01:14:02 localhost sshd[8315]: error: PAM: Authentication failure for illegal user root from b14f0.static.pacific.net.au

May  7 01:14:02 localhost sshd[8315]: Failed keyboard-interactive/pam for invalid user root from 202.7.89.240 port 36568 ssh2

May  7 01:15:40 localhost sshd[8323]: refused connect from joe@cni1.cbinf.com (::ffff:196.2.12.200)

May  7 01:18:16 localhost sshd[8332]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(customer68-83-177.iplannetworks.net, AF_INET) failed

May  7 01:18:26 localhost sshd[8332]: refused connect from ::ffff:200.68.83.177 (::ffff:200.68.83.177)

May  7 01:20:46 localhost sshd[8352]: refused connect from s161-184-174-76.ab.hsia.telus.net (::ffff:161.184.174.76)

May  7 01:22:48 localhost sshd[8359]: refused connect from 3e70de9.adsl.enternet.hu (::ffff:62.112.222.9)

May  7 01:25:25 localhost sshd[8368]: refused connect from ::ffff:62.77.209.5 (::ffff:62.77.209.5)

May  7 01:27:15 localhost sshd[8374]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: spare.eorigen.com != lon-web-test.gradwell.net

May  7 01:27:16 localhost sshd[8374]: refused connect from ::ffff:193.111.200.140 (::ffff:193.111.200.140)

May  7 01:29:47 localhost sshd[8383]: refused connect from ::ffff:62.159.113.66 (::ffff:62.159.113.66)

May  7 01:31:52 localhost sshd[8402]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207.in-addr.arpa, AF_INET) failed

May  7 01:31:52 localhost sshd[8402]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)

May  7 01:34:43 localhost sshd[8411]: refused connect from ex216126.uac63.hknet.com (::ffff:202.71.216.126)

May  7 01:39:13 localhost sshd[8425]: refused connect from 62-167-18-154.static.adslpremium.ch (::ffff:62.167.18.154)

May  7 01:41:33 localhost sshd[8446]: warning: /etc/hosts.deny, line 3240: host name/address mismatch: 83.136.87.102 != www.unicum.de

May  7 01:41:33 localhost sshd[8446]: refused connect from ::ffff:83.136.87.102 (::ffff:83.136.87.102)

May  7 01:43:40 localhost sshd[8453]: refused connect from pd95b4140.dip0.t-ipconnect.de (::ffff:217.91.65.64)

May  7 01:46:28 localhost sshd[8462]: refused connect from dsl-200-67-131-155.prod-empresarial.com.mx (::ffff:200.67.131.155)

May  7 01:48:18 localhost sshd[8469]: refused connect from provone.provsol.net (::ffff:70.90.196.137)

May  7 01:51:03 localhost sshd[8490]: refused connect from admin.leeds-utd.org.uk (::ffff:81.5.160.149)

May  7 01:52:56 localhost sshd[8497]: refused connect from ns2374.ovh.net (::ffff:213.186.45.34)

May  7 01:55:49 localhost sshd[8506]: error: PAM: Authentication failure for illegal user root from x020112.ppp.asahi-net.or.jp

May  7 01:55:49 localhost sshd[8506]: Failed keyboard-interactive/pam for invalid user root from 122.249.20.112 port 15058 ssh2

May  7 01:58:25 localhost sshd[8517]: refused connect from dsl-200-67-131-155.prod-empresarial.com.mx (::ffff:200.67.131.155)

May  7 02:00:28 localhost sshd[8538]: error: PAM: Authentication failure for illegal user root from adsl-66-159-198-155.dslextreme.com

May  7 02:00:28 localhost sshd[8538]: Failed keyboard-interactive/pam for invalid user root from 66.159.198.155 port 52621 ssh2

May  7 02:01:05 localhost denyhosts: Added the following hosts to /etc/hosts.deny - adsl-66-159-198-155.dslextreme.com

May  7 02:03:25 localhost sshd[8549]: refused connect from ::ffff:143.107.110.29 (::ffff:143.107.110.29)

May  7 02:05:19 localhost sshd[8556]: refused connect from h-66-134-26-166.nycmny83.covad.net (::ffff:66.134.26.166)

May  7 02:07:48 localhost sshd[8565]: refused connect from ::ffff:212.150.167.61 (::ffff:212.150.167.61)

May  7 02:09:54 localhost sshd[8572]: refused connect from blulove.pl (::ffff:217.160.20.154)

May  7 02:12:36 localhost sshd[8593]: refused connect from bvm52.internetdsl.tpnet.pl (::ffff:83.18.194.52)

May  7 02:14:51 localhost sshd[8600]: refused connect from confixx.fernuni-hagen.de (::ffff:132.176.85.100)

May  7 02:17:34 localhost sshd[8610]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207.in-addr.arpa, AF_INET) failed

May  7 02:17:34 localhost sshd[8610]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)

May  7 02:20:33 localhost sshd[8632]: refused connect from ::ffff:200.172.166.2 (::ffff:200.172.166.2)

May  7 02:22:42 localhost sshd[8638]: refused connect from 216-197-204-76.estv.hsdb.sasknet.sk.ca (::ffff:216.197.204.76)

May  7 02:25:30 localhost sshd[8648]: refused connect from foyer18rt.net1.nerim.net (::ffff:213.41.153.174)

May  7 02:27:28 localhost sshd[8655]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(customer68-83-177.iplannetworks.net, AF_INET) failed

May  7 02:27:32 localhost sshd[8655]: refused connect from javier@::ffff:200.68.83.177 (::ffff:200.68.83.177)

May  7 02:30:13 localhost sshd[8676]: warning: /etc/hosts.deny, line 3240: can't verify hostname: getaddrinfo(net-178-212-58-207.in-addr.arpa, AF_INET) failed

May  7 02:30:13 localhost sshd[8676]: refused connect from ::ffff:207.58.212.178 (::ffff:207.58.212.178)

May  7 02:32:24 localhost sshd[8684]: refused connect from david@habousha-771-u.customer.be.colt.net (::ffff:62.72.101.154)

May  7 02:35:08 localhost sshd[8693]: refused connect from 1389442210.ip2long.net (::ffff:82.209.52.162)

May  7 02:37:56 localhost sshd[8702]: refused connect from chello084114015179.14.vie.surfer.at (::ffff:84.114.15.179)

May  7 02:45:25 localhost sshd[8737]: refused connect from host217-35-80-115.in-addr.btopenworld.com (::ffff:217.35.80.115)

May  7 02:48:12 localhost sshd[8746]: refused connect from ::ffff:145.253.179.229 (::ffff:145.253.179.229)

May  7 02:50:24 localhost sshd[8766]: refused connect from sara@::ffff:87.241.33.10 (::ffff:87.241.33.10)

May  7 02:53:09 localhost sshd[8775]: refused connect from static.88-198-17-13.clients.your-server.de (::ffff:88.198.17.13)

May  7 02:56:02 localhost sshd[8788]: refused connect from usa@::ffff:193.71.255.202 (::ffff:193.71.255.202)

May  7 02:58:21 localhost sshd[8795]: refused connect from 88-196-54-98-dsl.trt.estpak.ee (::ffff:88.196.54.98)

May  7 03:01:07 localhost sshd[8821]: refused connect from cc67835-a.groni1.gr.home.nl (::ffff:82.73.18.76)

May  7 03:03:30 localhost sshd[8829]: refused connect from bvm52.internetdsl.tpnet.pl (::ffff:83.18.194.52)

May  7 03:06:19 localhost sshd[8838]: refused connect from mail.inveda.net (::ffff:81.169.156.95)

May  7 03:08:41 localhost sshd[8846]: warning: /etc/hosts.deny, line 3240: host name/name mismatch: 39757.net != man1.as39757.net

May  7 03:08:42 localhost sshd[8847]: input_userauth_request: invalid user root

May  7 03:08:44 localhost sshd[8846]: error: PAM: Authentication failure for illegal user root from 89.107.16.5

May  7 03:08:44 localhost sshd[8846]: Failed keyboard-interactive/pam for invalid user root from 89.107.16.5 port 59840 ssh2
```

----------

## El_Goretto

Vu l'echelle de temps restreinte, ou bien t'as plein plein de potes bots fouisseurs de failles (classique), ou bien c'est un petit botnet, carrément. Tu t'es fait un grand ami, récemment?  :Smile: 

----------

## geekounet

Ou de l'ip spoofing.

----------

## Bio

Je pense aussi à du spoofing, mais c'est se donner bien du mal pour pas grand chose si ce n'est accéder à mes photos de vacances.

@El_Goretto : Qu'est ce que tu appelles un botnet?

----------

## Desintegr

Si tu veux être tranquille, change simplement de port.

Sinon tu peux aussi mettre en place du port-knocking.

Enfin bon, ce genre de truc ça arrive souvent, des petits malins qui essayent de forcer des mots de passe sur des serveurs SSH trouvés par scan d'IP.

Là le petit malin a surement accès à plusieurs machines zombies (infectée par un backdoor) et il lance plusieurs connexions en même temps pour augmenter ses chances.

----------

## loopx

 *geekounet wrote:*   

> Ou de l'ip spoofing.

 

Sur la toile  :Surprised:  ?

----------

## Bio

 *Desintegr wrote:*   

> Si tu veux être tranquille, change simplement de port.
> 
> Sinon tu peux aussi mettre en place du port-knocking.

 

Effectivement mais vu que j'accède à mon serveur via le boulot je n'ai accès qu'aux ports "standards" 21, 22, 80 etc...

Je pourrais le basculer sur le 443 ceci dit.

----------

## Bio

Oulà je n'avais pas vu car mon rapport journalier est généré à 3h du mat. Mais ça continue comme ça et le mec est encore actif sur mon serveur. Une connexion toutes les 45 secondes environ et à chaque fois une IP différente.

Pour la peine j'ai redirigé ssh sur le 443 le temps que ça se calme

----------

## -KuRGaN-

Ben si le port-knocking ne te convient pas, tu peux déjà virer l'authentification par mot de passe de ssh et ensuite installer fail2ban.

----------

