# What action to take?

## js-x.com

I was looking in my server logs and found entry attempts:

(these are just a few - someone(s) is sending alot of time pounding the server)

```

Sep 20 12:42:34 D2140 sshd[15452]: Failed password for root from 12.30.169.133 port 41481 ssh2

Sep 20 12:42:34 D2140 sshd[15454]: Failed password for root from 12.30.169.133 port 44559 ssh2

Sep 20 12:42:35 D2140 sshd[15456]: Failed password for root from 12.30.169.133 port 41532 ssh2

Sep 20 12:42:35 D2140 sshd[15458]: Failed password for root from 12.30.169.133 port 44609 ssh2

Sep 20 12:42:35 D2140 sshd[15460]: Failed password for root from 12.30.169.133 port 41591 ssh2

Sep 20 12:42:36 D2140 sshd[15462]: Failed password for root from 12.30.169.133 port 44674 ssh2

Sep 20 12:42:36 D2140 sshd[15464]: Failed password for root from 12.30.169.133 port 44717 ssh2

Sep 20 12:42:37 D2140 sshd[15466]: Failed password for root from 12.30.169.133 port 44764 ssh2

Sep 20 12:42:37 D2140 sshd[15468]: Failed password for root from 12.30.169.133 port 44794 ssh2

Sep 20 12:42:38 D2140 sshd[15470]: Failed password for root from 12.30.169.133 port 44837 ssh2

Sep 20 12:42:39 D2140 sshd[15472]: Failed password for root from 12.30.169.133 port 44891 ssh2

Sep 20 12:42:39 D2140 sshd[15474]: Failed password for root from 12.30.169.133 port 44940 ssh2

Sep 20 12:42:40 D2140 sshd[15476]: Failed password for root from 12.30.169.133 port 44993 ssh2

Sep 20 12:42:41 D2140 sshd[15478]: Failed password for root from 12.30.169.133 port 45036 ssh2

.....

Sep 18 09:51:01 D2140 sshd[17438]: Failed password for root from 210.123.133.51 port 48703 ssh2

Sep 18 09:51:03 D2140 sshd[17442]: Failed password for root from 210.123.133.51 port 48764 ssh2

Sep 18 09:51:05 D2140 sshd[17446]: Illegal user test from 210.123.133.51

Sep 18 09:51:05 D2140 sshd[17446]: Failed password for illegal user test from 210.123.133.51 port 48817 ssh2

Sep 18 09:51:05 D2140 sshd[17447]: Failed password for root from 210.123.133.51 port 48818 ssh2

Sep 18 09:51:06 D2140 sshd[17450]: Illegal user guest from 210.123.133.51

Sep 18 09:51:06 D2140 sshd[17450]: Failed password for illegal user guest from 210.123.133.51 port 48875 ssh2

Sep 18 09:51:07 D2140 sshd[17452]: Illegal user test from 210.123.133.51

.....

Sep 18 23:48:31 D2140 sshd[2307]: Failed password for root from 211.108.60.203 port 49505 ssh2

Sep 18 23:48:33 D2140 sshd[2309]: Failed password for root from 211.108.60.203 port 49528 ssh2

Sep 18 23:48:34 D2140 sshd[2311]: Failed password for root from 211.108.60.203 port 49546 ssh2

Sep 18 23:48:36 D2140 sshd[2313]: Failed password for root from 211.108.60.203 port 49577 ssh2

Sep 18 23:49:13 D2140 sshd[2321]: Failed password for root from 211.108.60.203 port 50151 ssh2

Sep 18 23:49:15 D2140 sshd[2323]: Failed password for root from 211.108.60.203 port 50176 ssh2

Sep 18 23:49:17 D2140 sshd[2325]: Failed password for root from 211.108.60.203 port 50212 ssh2

Sep 18 23:49:19 D2140 sshd[2327]: Failed password for root from 211.108.60.203 port 50243 ssh2

Sep 18 23:49:20 D2140 sshd[2329]: Failed password for root from 211.108.60.203 port 50272 ssh2

```

----------

## RayDude

This is common for any machine that had an open ssh port sitting on the internet. The only safe things I know of are:

1. Disable root access on SSH.

2. Make all user passwords extremely complicated, ie. mixed case, numbers, special characters.

My domain is hosted on my dsl port and I get automated break in attempts all the time.

Many from China...

Funny that.

Raydude

----------

## js-x.com

thanks!

----------

## skunk

run ssh on a different port, disable root login and if you need to connect always from the same (class) ip configure a firewall according

----------

## RayDude

 *skunk wrote:*   

> run ssh on a different port, disable root login and if you need to connect always from the same (class) ip configure a firewall according

 

A port scan will show the moved ssh port rather easily won't it? I haven't bothered moving it because I figure if someone's serious they'll just port scan.

----------

## skunk

yes, but if you run on a different port you can block non human attaks (read worms)

----------

## js-x.com

 *skunk wrote:*   

> run ssh on a different port, disable root login and if you need to connect always from the same (class) ip configure a firewall according

 

I can see the sshd config file and edit it for:

- ssh port

- disable root login

i'm reading the rather big / large thread on this and have not yet found how to restrict ssh by ip/class.

link

thanks!

----------

## skunk

 *js-x.com wrote:*   

> i'm reading the rather big / large thread on this and have not yet found how to restrict ssh by ip/class.

 

you can't restrict ssh by ip/class using the config file, you should configure iptables for this...

readme

----------

## syrrus

Might want to check out http://fail2ban.sourceforge.net/

Helped my friends out alot.

----------

## RayDude

 *skunk wrote:*   

> yes, but if you run on a different port you can block non human attaks (read worms)

 

I hadn't thought of that! Thanks.

I just moved it to another port.

Raydude

----------

## skunk

linux.com has an intersting article about this argument

----------

## syrrus

Over the last year it's been a big subject of discussion because of all the automated tools that've been in use.

----------

## eagle_cz

when sobody start to brute force my SSH , i usualy put Jihad on him.

----------

## RayDude

 *eagle_cz wrote:*   

> when sobody start to brute force my SSH , i usualy put Jihad on him.

 

Exactly how do you do that?

Raydude

----------

## eagle_cz

i usualy just pronounce ... " i put jihad on you" and then i continue reading logs  :Smile: 

----------

## js-x.com

 *eagle_cz wrote:*   

> i usualy just pronounce ... " i put jihad on you" and then i continue reading logs 

 

roflmao

----------

## MrBlc

this is how i did it:

first, i moved the port.. always considered that a smart move since it lures away from most automated tools..

then i installed shorewall, a iptables frontend script, and started blacklisting C-class ip segments as they attacked

so far, i've gotten a long ass list, but i've also started to see days without scans as opposed to the 3-4000 scans a day

helped that the server was located on a fibered connection though.. they are a bit more attractive to hack..

-blc

----------

## RayDude

 *eagle_cz wrote:*   

> i usualy just pronounce ... " i put jihad on you" and then i continue reading logs 

 

LOL.

----------

## Sprotte

 *RayDude wrote:*   

>  *eagle_cz wrote:*   i usualy just pronounce ... " i put jihad on you" and then i continue reading logs  
> 
> LOL.

 

well, you can always use whois on them if youre serious, and contact their provider.

sadly, it´ll just be another zombie machine...

you can also portscan the IP and if there is ssh or something running, just give "IHEREBYPUTJIHADONYOU" as a login. it will show up in their logs, if any... 

but in the case of some hacked windows boxes, or botnets etc. it´s just not worth the time.

----------

## eagle_cz

lol Sprotte i have to try that with that login  :Very Happy: 

----------

## RayDude

 *Sprotte wrote:*   

>  *RayDude wrote:*    *eagle_cz wrote:*   i usualy just pronounce ... " i put jihad on you" and then i continue reading logs  
> 
> LOL. 
> 
> well, you can always use whois on them if youre serious, and contact their provider.
> ...

 

I tracked one of the IPs of an attack on my box to a box in China.

It was a computer at a financial institution or something like that (can't remember for sure). I sent them an email telling that either A) one of their employees was trying to hack computers or B) their systems had been hacked and was being used to initiate attacks.

They had an open ssh port, and I tried to log in as, "STOP_TRYING_TO_HACK_MY_MACHINE!"

Never got an email reply from them though...

Heh.

Raydude

----------

