# is this a connection (hack), or an attempt?

## wobbly

From /var/log/messages, lots like this

```

Jan 25 10:53:52 ecw-box sshd[6793]: Connection from 121.247.128.55 port 4182

Jan 25 10:53:52 ecw-box sshd[6793]: Did not receive identification string from 121.247.128.55

```

Does "connection" mean that the hacker has made a connection, or is attempting one?

Thanks

----------

## bunder

it's probably a ssh bot.    :Confused: 

----------

## d2_racing

In fact, I think that too...

----------

## wobbly

The question is, though, whether or not the "connection" was successful. I would have expected "connection attempt" in the case when there was an attempted connection that did not succeed. The message I see in /var/log/messages reads as a successful connection. Is it one?

----------

## ppurka

No, it isn't successful.

----------

## cach0rr0

all that means is your SSH daemon responded to the connection attempt - meaning, socket showed as open to the remote host

a successful connection != successful authentication

I can nmap -sT -p22 -P0 yourhost.yourdomain.tld and that will show up

doesn't mean I got in

this is one thing i like about hardened build - by default all auth failures/successes == /var/log/auth.log

but yeah, as others have said, likely just an ssh bot connecting...but again, failing auth (if you check later in the log)

if you care to mitigate this, recommend something like fail2ban in conjunction with disabling keyboard-interactive auth on SSH, and simply using ssh keys

----------

## krinn

It's not even an attempt else you would have get bad user or bad password (or "loggin from"...) it's just a connection, as people said before, script kiddy or port scanning

here are some ssh logging that will help you understand what's going on:

```

Jan 22 03:18:34 [sshd] Did not receive identification string from 58.62.125.162 <- connect ok, no id

Jan 22 03:19:20 [sshd] Invalid user fluffy from 58.62.125.162 <- connect ok, bad user

Jan 22 16:33:55 [sshd] Accepted publickey for root from 192.168.0.4 port 59023 ssh2 <- connect ok, valid user & key

Jan 22 16:33:55 [sshd] pam_unix(sshd:session): session opened for user root by (uid=0) <- now the user is really log in

Jan 22 16:37:50 [sshd] pam_unix(sshd:session): session closed for user root <- closed session

Jan 22 22:53:19 [sshd] refused connect from 218.249.60.66 (218.249.60.66) <- connection not ok, that guy is ban

```

successful connection you get is just because sshd answer to that host and it just mean sshd is working and that host isn't ban so it inform you sshd is ok to talk with that host.

----------

## wobbly

Thanks for the replies. I installed fail2ban with iptables and I'm wondering if it's working. I see this in my /var/log/messages

```

Jan 26 20:10:08 ecw-box sshd[15580]: Invalid user mythtv from 122.128.96.6

Jan 26 20:10:09 ecw-box sshd[15596]: Connection from 122.128.96.6 port 59053

Jan 26 20:10:16 ecw-box sshd[15596]: Invalid user mythtv from 122.128.96.6

Jan 26 20:10:17 ecw-box sshd[15600]: Connection from 122.128.96.6 port 59427

Jan 26 20:10:25 ecw-box sshd[15600]: Invalid user mythtv from 122.128.96.6

Jan 26 20:10:25 ecw-box sshd[15604]: Connection from 122.128.96.6 port 59793

Jan 26 20:10:33 ecw-box sshd[15604]: Invalid user mythtv from 122.128.96.6

Jan 26 20:10:34 ecw-box sshd[15608]: Connection from 122.128.96.6 port 60158

Jan 26 20:10:41 ecw-box sshd[15608]: Invalid user oracle from 122.128.96.6

Jan 26 20:10:42 ecw-box sshd[15612]: Connection from 122.128.96.6 port 60526

Jan 26 20:10:49 ecw-box sshd[15612]: Invalid user oracle from 122.128.96.6

Jan 26 20:10:50 ecw-box sshd[15616]: Connection from 122.128.96.6 port 60880

Jan 26 20:10:58 ecw-box sshd[15616]: Invalid user oracle from 122.128.96.6

Jan 26 20:10:58 ecw-box sshd[15620]: Connection from 122.128.96.6 port 33005

Jan 26 20:11:06 ecw-box sshd[15620]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:07 ecw-box sshd[15624]: Connection from 122.128.96.6 port 33361

Jan 26 20:11:14 ecw-box sshd[15624]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:15 ecw-box sshd[15628]: Connection from 122.128.96.6 port 33722

Jan 26 20:11:22 ecw-box sshd[15628]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:23 ecw-box sshd[15632]: Connection from 122.128.96.6 port 34082

Jan 26 20:11:31 ecw-box sshd[15632]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:31 ecw-box sshd[15636]: Connection from 122.128.96.6 port 34433

Jan 26 20:11:39 ecw-box sshd[15636]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:40 ecw-box sshd[15640]: Connection from 122.128.96.6 port 34768

Jan 26 20:11:47 ecw-box sshd[15640]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:48 ecw-box sshd[15644]: Connection from 122.128.96.6 port 35114

Jan 26 20:11:55 ecw-box sshd[15644]: Invalid user oracle from 122.128.96.6

Jan 26 20:11:56 ecw-box sshd[15648]: Connection from 122.128.96.6 port 35450

Jan 26 20:12:04 ecw-box sshd[15652]: Connection from 122.128.96.6 port 35819

Jan 26 20:12:12 ecw-box sshd[15652]: Invalid user admin from 122.128.96.6

Jan 26 20:12:13 ecw-box sshd[15656]: Connection from 122.128.96.6 port 36156

Jan 26 20:12:20 ecw-box sshd[15656]: Invalid user admin from 122.128.96.6

Jan 26 20:12:21 ecw-box sshd[15660]: Connection from 122.128.96.6 port 36502

Jan 26 20:12:28 ecw-box sshd[15660]: Invalid user admin from 122.128.96.6

Jan 26 20:12:29 ecw-box sshd[15664]: Connection from 122.128.96.6 port 36843

Jan 26 20:12:37 ecw-box sshd[15664]: Invalid user admin from 122.128.96.6

Jan 26 20:12:37 ecw-box sshd[15668]: Connection from 122.128.96.6 port 37191

Jan 26 20:12:45 ecw-box sshd[15668]: Invalid user admin from 122.128.96.6

Jan 26 20:12:46 ecw-box sshd[15672]: Connection from 122.128.96.6 port 37532

Jan 26 20:12:53 ecw-box sshd[15672]: Invalid user admin from 122.128.96.6

Jan 26 20:12:54 ecw-box sshd[15676]: Connection from 122.128.96.6 port 56765

Jan 26 20:13:01 ecw-box sshd[15676]: Invalid user admin from 122.128.96.6

Jan 26 20:13:02 ecw-box sshd[15680]: Connection from 122.128.96.6 port 57122

Jan 26 20:13:10 ecw-box sshd[15680]: Invalid user admin from 122.128.96.6

Jan 26 20:13:10 ecw-box sshd[15684]: Connection from 122.128.96.6 port 57456

Jan 26 20:13:18 ecw-box sshd[15684]: Invalid user admin from 122.128.96.6

Jan 26 20:13:19 ecw-box sshd[15688]: Connection from 122.128.96.6 port 57801

Jan 26 20:13:26 ecw-box sshd[15688]: Invalid user test from 122.128.96.6

Jan 26 20:13:27 ecw-box sshd[15692]: Connection from 122.128.96.6 port 58148

Jan 26 20:13:34 ecw-box sshd[15692]: Invalid user test from 122.128.96.6

Jan 26 20:13:35 ecw-box sshd[15696]: Connection from 122.128.96.6 port 58498

Jan 26 20:13:43 ecw-box sshd[15696]: Invalid user test from 122.128.96.6

Jan 26 20:13:43 ecw-box sshd[15700]: Connection from 122.128.96.6 port 58847

Jan 26 20:13:51 ecw-box sshd[15700]: Invalid user test from 122.128.96.6

Jan 26 20:13:52 ecw-box sshd[15704]: Connection from 122.128.96.6 port 59192

Jan 26 20:13:59 ecw-box sshd[15704]: Invalid user test from 122.128.96.6

Jan 26 20:14:00 ecw-box sshd[15708]: Connection from 122.128.96.6 port 59542

Jan 26 20:14:08 ecw-box sshd[15708]: Invalid user test from 122.128.96.6

Jan 26 20:14:08 ecw-box sshd[15712]: Connection from 122.128.96.6 port 59887

Jan 26 20:14:16 ecw-box sshd[15712]: Invalid user test from 122.128.96.6

Jan 26 20:14:17 ecw-box sshd[15716]: Connection from 122.128.96.6 port 60240

Jan 26 20:14:24 ecw-box sshd[15716]: Invalid user test from 122.128.96.6

Jan 26 20:14:25 ecw-box sshd[15720]: Connection from 122.128.96.6 port 60577

Jan 26 20:14:32 ecw-box sshd[15720]: Invalid user anda from 122.128.96.6

Jan 26 20:14:33 ecw-box sshd[15724]: Connection from 122.128.96.6 port 60927

Jan 26 20:14:41 ecw-box sshd[15724]: Invalid user jb from 122.128.96.6

Jan 26 20:14:42 ecw-box sshd[15728]: Connection from 122.128.96.6 port 33042

Jan 26 20:14:49 ecw-box sshd[15728]: Invalid user cvsuser from 122.128.96.6

Jan 26 20:14:50 ecw-box sshd[15732]: Connection from 122.128.96.6 port 33388

Jan 26 20:14:57 ecw-box sshd[15732]: Invalid user cvsuser1 from 122.128.96.6

Jan 26 20:14:58 ecw-box sshd[15736]: Connection from 122.128.96.6 port 33730

Jan 26 20:15:05 ecw-box sshd[15736]: Invalid user mana from 122.128.96.6

Jan 26 20:15:06 ecw-box sshd[15740]: Connection from 122.128.96.6 port 34082

Jan 26 20:15:14 ecw-box sshd[15744]: Connection from 122.128.96.6 port 34422

Jan 26 20:15:23 ecw-box sshd[15748]: Connection from 122.128.96.6 port 34774

Jan 26 20:15:30 ecw-box sshd[15748]: Invalid user vicky from 122.128.96.6

Jan 26 20:15:31 ecw-box sshd[15752]: Connection from 122.128.96.6 port 35117

Jan 26 20:15:38 ecw-box sshd[15752]: Invalid user setup from 122.128.96.6

Jan 26 20:15:39 ecw-box sshd[15756]: Connection from 122.128.96.6 port 35472

Jan 26 20:15:47 ecw-box sshd[15756]: Invalid user setup from 122.128.96.6

Jan 26 20:15:48 ecw-box sshd[15761]: Connection from 122.128.96.6 port 35807

Jan 26 20:15:55 ecw-box sshd[15761]: Invalid user print from 122.128.96.6

Jan 26 20:15:56 ecw-box sshd[15765]: Connection from 122.128.96.6 port 36169

Jan 26 20:16:03 ecw-box sshd[15765]: Invalid user print from 122.128.96.6

Jan 26 20:16:04 ecw-box sshd[15769]: Connection from 122.128.96.6 port 36507

Jan 26 20:16:11 ecw-box sshd[15769]: Invalid user raul from 122.128.96.6

Jan 26 20:16:12 ecw-box sshd[15773]: Connection from 122.128.96.6 port 36866

Jan 26 20:16:20 ecw-box sshd[15773]: Invalid user user1 from 122.128.96.6

Jan 26 20:16:20 ecw-box sshd[15778]: Connection from 122.128.96.6 port 37224

```

And when I look at the iptables

```

ecw-box ~ # iptables -n -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ecw-box ~ # 

```

it doesn't appear that anything has been added. How do I know if this is correct.

----------

## vaguy02

I would say it's not working. Post your fail2ban.log file please.

----------

## wobbly

```

ecw-box ~ # rm /var/log/fail2ban.log 

ecw-box ~ # /etc/init.d/fail2ban restart

 * Stopping fail2ban ...                                                                                [ ok ]

 * Starting fail2ban ...                                                                                [ ok ]

ecw-box ~ # cat /var/log/fail2ban.log 

2009-01-26 20:51:33,463 fail2ban.jail   : INFO   Using poller

2009-01-26 20:51:33,509 fail2ban.filter : INFO   Created Filter

2009-01-26 20:51:33,510 fail2ban.filter : INFO   Created FilterPoll

2009-01-26 20:51:33,512 fail2ban.filter : INFO   Added logfile = /var/log/messages

2009-01-26 20:51:33,514 fail2ban.filter : INFO   Set maxRetry = 5

2009-01-26 20:51:33,518 fail2ban.filter : INFO   Set findtime = 600

2009-01-26 20:51:33,520 fail2ban.actions: INFO   Set banTime = 600

2009-01-26 20:51:33,540 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

2009-01-26 20:51:33,542 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>

iptables -F fail2ban-<name>

iptables -X fail2ban-<name>

2009-01-26 20:51:33,545 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>

iptables -A fail2ban-<name> -j RETURN

iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>

2009-01-26 20:51:33,547 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP

2009-01-26 20:51:33,549 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>

2009-01-26 20:51:33,558 fail2ban.actions.action: INFO   Set actionBan = echo -en "Hi,\n

The IP <ip> has just been banned by Fail2Ban after

<failures> attempts against <name>.\n\n

Here are more information about <ip>:\n

`whois <ip>`\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>

2009-01-26 20:51:33,561 fail2ban.actions.action: INFO   Set actionStop = echo -en "Hi,\n

The jail <name> has been stopped.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>

2009-01-26 20:51:33,563 fail2ban.actions.action: INFO   Set actionStart = echo -en "Hi,\n

The jail <name> has been started successfuly.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

2009-01-26 20:51:33,566 fail2ban.actions.action: INFO   Set actionUnban = 

2009-01-26 20:51:33,568 fail2ban.actions.action: INFO   Set actionCheck = 

2009-01-26 20:51:33,574 fail2ban.jail   : INFO   Using poller

2009-01-26 20:51:33,574 fail2ban.filter : INFO   Created Filter

2009-01-26 20:51:33,575 fail2ban.filter : INFO   Created FilterPoll

2009-01-26 20:51:33,577 fail2ban.filter : INFO   Added logfile = /var/log/messages

2009-01-26 20:51:33,579 fail2ban.filter : INFO   Set maxRetry = 3

2009-01-26 20:51:33,583 fail2ban.comm   : WARNING Invalid command: ['set', 'ssh-tcpwrapper', 'ignoreregex', 'for myuser from']

ecw-box ~ # 

```

----------

## wobbly

I'm not exactly sure why, but something has changed. Perhaps this looks correct.

```

ecw-box ~ # iptables -n -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain fail2ban-SSH (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

```

----------

## vaguy02

yes, that's how it should look.

----------

## Tekeli Li

I suggest you to move away from port 22 for SSH. That alone will prevent like vast, vast majority of attempts, which come from bots only. Also consider using public key auth. That alone will prevent any manual or automatic hacking attempt unless there's an exploit in sshd, or unless someone takes hold of your public and private keys, and I mean physically nick the files from your computer -- in which case they're left with the huge task of attempting to crack the passphrase you protected the keys with.

Personally I'm not using or suggesting fail2ban. In my opinion, it's a waste of resources, and may even lead to a cute ddos.

Also, if you really want to use fail2ban, then configure iptables rules to drop only SYN packets and allow all RELATED, ESTABLISHED, otherwise EACH packet that your NIC receives would have to be checked against a table of banned IPs (can you say: ddos?).  :Wink: 

Edit: ps, the trend with bots nowadays is to go very slow, too slow for any reasonable fail2ban rule anyways. Also, if you're really paranoid, the third line of defense (first two being moving away from 22, and using public key auth) would be to use port knocker.

----------

## El_Goretto

Your fail2ban seems not configured at all. Enable the ssh "jail" (/etc/fail2ban/jail.conf)

Plus, this "policy ACCEPT" is frightening... but if it's on purpose, ok, then...

----------

