ban IP attempting to hack in via ssh

tr0910

By tr0910
in Lounge

Recommended Posts

tr0910 Community Regular

tr0910

Posted
Posted

I am backing up my server over the internet to another unRaid server over SSH so I have port 22 forwarded on the destination router.  I have hardened SSH using the SSH_Config plugin to deny password login, and only accept logins by keys.  However, the bad guys still want in, and I don't seem to be getting denyhosts from the same plugin author working on 6.2.4

 

http://lime-technology.com/forum/index.php?topic=47289.msg523047#msg523047

 

What should I do to bolt it down a little tighter?? 

 

(In the last 24 hours, I have had over 3500 attempts to login from 30 different IP's  One IP is creating over 1/2 of the attempts.  I would like to ban IP based on their attempts to logged attempts to login unsuccessfully.  )

 

For example: (warning many lines from syslog)

 

Dec 17 15:19:15 Server1 sshd[22277]: Received disconnect from 121.18.238.109 port 40257:11:  [preauth]
Dec 17 15:19:15 Server1 sshd[22277]: Disconnected from 121.18.238.109 port 40257 [preauth]
Dec 17 15:19:50 Server1 sshd[22424]: Received disconnect from 221.194.44.219 port 49843:11:  [preauth]
Dec 17 15:19:50 Server1 sshd[22424]: Disconnected from 221.194.44.219 port 49843 [preauth]
Dec 17 15:20:51 Server1 sshd[22708]: Received disconnect from 221.194.47.229 port 44863:11:  [preauth]
Dec 17 15:20:51 Server1 sshd[22708]: Disconnected from 221.194.47.229 port 44863 [preauth]
Dec 17 15:21:34 Server1 sshd[23000]: Received disconnect from 121.18.238.109 port 38959:11:  [preauth]
Dec 17 15:21:34 Server1 sshd[23000]: Disconnected from 121.18.238.109 port 38959 [preauth]
Dec 17 15:23:10 Server1 sshd[23534]: Received disconnect from 221.194.44.224 port 37053:11:  [preauth]
Dec 17 15:23:10 Server1 sshd[23534]: Disconnected from 221.194.44.224 port 37053 [preauth]
Dec 17 15:23:36 Server1 sshd[23633]: Received disconnect from 221.194.47.208 port 36092:11:  [preauth]
Dec 17 15:23:36 Server1 sshd[23633]: Disconnected from 221.194.47.208 port 36092 [preauth]
Dec 17 15:26:38 Server1 sshd[24575]: Received disconnect from 221.194.47.224 port 49702:11:  [preauth]
Dec 17 15:26:38 Server1 sshd[24575]: Disconnected from 221.194.47.224 port 49702 [preauth]
Dec 17 15:27:26 Server1 sshd[24858]: Received disconnect from 221.194.47.229 port 41578:11:  [preauth]
Dec 17 15:27:26 Server1 sshd[24858]: Disconnected from 221.194.47.229 port 41578 [preauth]
Dec 17 15:27:57 Server1 sshd[24978]: Received disconnect from 221.194.44.195 port 52730:11:  [preauth]
Dec 17 15:27:57 Server1 sshd[24978]: Disconnected from 221.194.44.195 port 52730 [preauth]
Dec 17 15:28:43 Server1 sshd[25207]: Received disconnect from 121.18.238.104 port 56775:11:  [preauth]
Dec 17 15:28:43 Server1 sshd[25207]: Disconnected from 121.18.238.104 port 56775 [preauth]
Dec 17 15:31:16 Server1 sshd[26065]: Received disconnect from 221.194.44.195 port 44378:11:  [preauth]
Dec 17 15:31:16 Server1 sshd[26065]: Disconnected from 221.194.44.195 port 44378 [preauth]
Dec 17 15:31:47 Server1 sshd[26200]: Received disconnect from 121.18.238.104 port 40030:11:  [preauth]
Dec 17 15:31:47 Server1 sshd[26200]: Disconnected from 121.18.238.104 port 40030 [preauth]
Dec 17 15:34:22 Server1 sshd[27042]: Received disconnect from 221.194.47.229 port 39632:11:  [preauth]
Dec 17 15:34:22 Server1 sshd[27042]: Disconnected from 221.194.47.229 port 39632 [preauth]
Dec 17 15:36:52 Server1 sshd[27799]: Received disconnect from 221.194.47.224 port 56669:11:  [preauth]
Dec 17 15:36:52 Server1 sshd[27799]: Disconnected from 221.194.47.224 port 56669 [preauth]
Dec 17 15:37:09 Server1 sshd[27943]: Received disconnect from 221.194.44.224 port 52491:11:  [preauth]
Dec 17 15:37:09 Server1 sshd[27943]: Disconnected from 221.194.44.224 port 52491 [preauth]
Dec 17 15:37:49 Server1 sshd[28090]: Received disconnect from 221.194.44.231 port 56014:11:  [preauth]
Dec 17 15:37:49 Server1 sshd[28090]: Disconnected from 221.194.44.231 port 56014 [preauth]
Dec 17 15:39:47 Server1 sshd[28723]: Received disconnect from 121.18.238.104 port 42416:11:  [preauth]
Dec 17 15:39:47 Server1 sshd[28723]: Disconnected from 121.18.238.104 port 42416 [preauth]
Dec 17 15:40:57 Server1 sshd[29075]: Received disconnect from 221.194.44.195 port 41836:11:  [preauth]
Dec 17 15:40:57 Server1 sshd[29075]: Disconnected from 221.194.44.195 port 41836 [preauth]
Dec 17 15:41:52 Server1 sshd[29371]: Received disconnect from 221.194.47.229 port 36960:11:  [preauth]
Dec 17 15:41:52 Server1 sshd[29371]: Disconnected from 221.194.47.229 port 36960 [preauth]
Dec 17 15:42:58 Server1 sshd[29715]: Received disconnect from 221.194.47.224 port 40100:11:  [preauth]
Dec 17 15:42:58 Server1 sshd[29715]: Disconnected from 221.194.47.224 port 40100 [preauth]
Dec 17 15:45:02 Server1 sshd[30360]: Received disconnect from 221.194.44.224 port 44602:11:  [preauth]
Dec 17 15:45:02 Server1 sshd[30360]: Disconnected from 221.194.44.224 port 44602 [preauth]
Dec 17 15:45:16 Server1 sshd[30493]: Received disconnect from 121.18.238.98 port 47550:11:  [preauth]
Dec 17 15:45:16 Server1 sshd[30493]: Disconnected from 121.18.238.98 port 47550 [preauth]
Dec 17 15:46:50 Server1 sshd[30933]: Received disconnect from 106.3.46.117 port 32849:11: Bye Bye [preauth]
Dec 17 15:46:50 Server1 sshd[30933]: Disconnected from 106.3.46.117 port 32849 [preauth]
Dec 17 15:48:38 Server1 sshd[31542]: Received disconnect from 221.194.47.249 port 40295:11:  [preauth]
Dec 17 15:48:38 Server1 sshd[31542]: Disconnected from 221.194.47.249 port 40295 [preauth]
Dec 17 15:49:42 Server1 sshd[31874]: Received disconnect from 221.194.47.249 port 52805:11:  [preauth]
Dec 17 15:49:42 Server1 sshd[31874]: Disconnected from 221.194.47.249 port 52805 [preauth]
Dec 17 15:51:03 Server1 sshd[32354]: Received disconnect from 221.194.47.229 port 49887:11:  [preauth]
Dec 17 15:51:03 Server1 sshd[32354]: Disconnected from 221.194.47.229 port 49887 [preauth]
Dec 17 15:51:09 Server1 sshd[32410]: Received disconnect from 221.194.44.195 port 46708:11:  [preauth]
Dec 17 15:51:09 Server1 sshd[32410]: Disconnected from 221.194.44.195 port 46708 [preauth]
Dec 17 15:52:53 Server1 sshd[448]: Received disconnect from 121.18.238.109 port 51936:11:  [preauth]
Dec 17 15:52:53 Server1 sshd[448]: Disconnected from 121.18.238.109 port 51936 [preauth]
Dec 17 15:55:30 Server1 sshd[1392]: Received disconnect from 221.194.44.219 port 33278:11:  [preauth]
Dec 17 15:55:30 Server1 sshd[1392]: Disconnected from 221.194.44.219 port 33278 [preauth]
Dec 17 15:59:38 Server1 sshd[2694]: Received disconnect from 121.18.238.98 port 45451:11:  [preauth]
Dec 17 15:59:38 Server1 sshd[2694]: Disconnected from 121.18.238.98 port 45451 [preauth]
Dec 17 16:00:15 Server1 sshd[2919]: Received disconnect from 121.18.238.109 port 35244:11:  [preauth]
Dec 17 16:00:15 Server1 sshd[2919]: Disconnected from 121.18.238.109 port 35244 [preauth]
Dec 17 16:01:53 Server1 sshd[3383]: Received disconnect from 121.18.238.114 port 38344:11:  [preauth]
Dec 17 16:01:53 Server1 sshd[3383]: Disconnected from 121.18.238.114 port 38344 [preauth]
Dec 17 16:05:18 Server1 sshd[4486]: Received disconnect from 121.18.238.104 port 53451:11:  [preauth]
Dec 17 16:05:18 Server1 sshd[4486]: Disconnected from 121.18.238.104 port 53451 [preauth]
Dec 17 16:07:05 Server1 sshd[5075]: Received disconnect from 221.194.44.231 port 48716:11:  [preauth]
Dec 17 16:07:05 Server1 sshd[5075]: Disconnected from 221.194.44.231 port 48716 [preauth]
Dec 17 16:14:24 Server1 sshd[7342]: Received disconnect from 221.194.47.229 port 35543:11:  [preauth]
Dec 17 16:14:24 Server1 sshd[7342]: Disconnected from 221.194.47.229 port 35543 [preauth]
Dec 17 16:17:56 Server1 sshd[8423]: Did not receive identification string from 123.31.31.157 port 61019
Dec 17 16:17:58 Server1 sshd[8429]: Invalid user support from 123.31.31.157 port 61796
Dec 17 16:17:58 Server1 sshd[8429]: input_userauth_request: invalid user support [preauth]
Dec 17 16:17:59 Server1 sshd[8429]: error: Received disconnect from 123.31.31.157 port 61796:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Dec 17 16:17:59 Server1 sshd[8429]: Disconnected from 123.31.31.157 port 61796 [preauth]
Dec 17 16:21:52 Server1 sshd[9708]: Received disconnect from 221.194.44.224 port 60166:11:  [preauth]
Dec 17 16:21:52 Server1 sshd[9708]: Disconnected from 221.194.44.224 port 60166 [preauth]
Dec 17 16:25:31 Server1 sshd[11053]: Received disconnect from 221.194.47.208 port 43136:11:  [preauth]
Dec 17 16:25:31 Server1 sshd[11053]: Disconnected from 221.194.47.208 port 43136 [preauth]
Dec 17 16:37:20 Server1 sshd[14770]: Received disconnect from 121.18.238.109 port 53932:11:  [preauth]
Dec 17 16:37:20 Server1 sshd[14770]: Disconnected from 121.18.238.109 port 53932 [preauth]
Dec 17 16:46:25 Server1 sshd[17611]: Received disconnect from 222.239.10.143 port 37487:11: Bye Bye [preauth]
Dec 17 16:46:25 Server1 sshd[17611]: Disconnected from 222.239.10.143 port 37487 [preauth]
Dec 17 16:56:23 Server1 sshd[20794]: Received disconnect from 221.194.44.231 port 43393:11:  [preauth]
Dec 17 16:56:23 Server1 sshd[20794]: Disconnected from 221.194.44.231 port 43393 [preauth]
Dec 17 17:10:10 Server1 sshd[25124]: Invalid user admin from 111.73.45.188 port 4216
Dec 17 17:10:10 Server1 sshd[25124]: input_userauth_request: invalid user admin [preauth]
Dec 17 17:10:10 Server1 sshd[25124]: Connection reset by 111.73.45.188 port 4216 [preauth]
Dec 17 17:50:42 Server1 sshd[5510]: Did not receive identification string from 113.108.21.16 port 30715
Dec 17 18:01:59 Server1 sshd[9045]: Received disconnect from 221.194.44.219 port 48810:11:  [preauth]
Dec 17 18:01:59 Server1 sshd[9045]: Disconnected from 221.194.44.219 port 48810 [preauth]
Dec 17 18:05:40 Server1 sshd[10398]: Received disconnect from 221.194.47.224 port 52949:11:  [preauth]
Dec 17 18:05:40 Server1 sshd[10398]: Disconnected from 221.194.47.224 port 52949 [preauth]
Dec 17 18:15:22 Server1 sshd[13460]: Received disconnect from 121.18.238.109 port 33661:11:  [preauth]
Dec 17 18:15:22 Server1 sshd[13460]: Disconnected from 121.18.238.109 port 33661 [preauth]
Dec 17 18:37:59 Server1 sshd[20557]: Received disconnect from 221.194.47.229 port 56573:11:  [preauth]
Dec 17 18:37:59 Server1 sshd[20557]: Disconnected from 221.194.47.229 port 56573 [preauth]
Dec 17 19:42:10 Server1 sshd[8471]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 43248 ssh2 [preauth]
Dec 17 19:42:10 Server1 sshd[8471]: Disconnecting: Too many authentication failures [preauth]
Dec 17 19:42:15 Server1 sshd[8494]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 51064 ssh2 [preauth]
Dec 17 19:42:15 Server1 sshd[8494]: Disconnecting: Too many authentication failures [preauth]
Dec 17 19:42:21 Server1 sshd[8521]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 58205 ssh2 [preauth]
Dec 17 19:42:21 Server1 sshd[8521]: Disconnecting: Too many authentication failures [preauth]
Dec 17 19:42:27 Server1 sshd[8548]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 2122 ssh2 [preauth]
Dec 17 19:42:27 Server1 sshd[8548]: Disconnecting: Too many authentication failures [preauth]
Dec 17 19:42:33 Server1 sshd[8575]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 10968 ssh2 [preauth]
Dec 17 19:42:33 Server1 sshd[8575]: Disconnecting: Too many authentication failures [preauth]
Dec 17 19:42:39 Server1 sshd[8606]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 19736 ssh2 [preauth]
Dec 17 19:42:39 Server1 sshd[8606]: Disconnecting: Too many authentication failures [preauth]
Dec 17 19:42:45 Server1 sshd[8629]: error: maximum authentication attempts exceeded for root from 218.65.30.134 port 28418 ssh2 [preauth]
Dec 17 19:42:45 Server1 sshd[8629]: Disconnecting: Too many authentication failures [preauth]

Link to comment
tr0910 Community Regular

tr0910

Posted
  • Author
Posted

Not sure what router you are using.  If you were using pfSense you could setup a rule to block an IP address, series or range of IP addresses.  I'd look at your router and see if you can block WAN IP address(es).

 

I can do that, or use the hosts.deny file, but the denyhosts plugin sounds like an elegant way to do it.  But I don't seem to be able to get it running presently.

Link to comment
  • 1 year later...
m4f1050 Contributor

m4f1050

Posted
Posted (edited) 


Jun 25 09:44:13 MMPC sshd[20914]: Failed password for root from 58.218.198.168 port 38471 ssh2
Jun 25 09:44:13 MMPC sshd[20914]: Received disconnect from 58.218.198.168 port 38471:11: [preauth]
Jun 25 09:44:13 MMPC sshd[20914]: Disconnected from authenticating user root 58.218.198.168 port 38471 [preauth]
Jun 25 09:44:37 MMPC sshd[20951]: Failed password for root from 58.218.198.168 port 51533 ssh2
Jun 25 09:44:37 MMPC sshd[20951]: Failed password for root from 58.218.198.168 port 51533 ssh2
Jun 25 09:44:38 MMPC sshd[20951]: Failed password for root from 58.218.198.168 port 51533 ssh2
Jun 25 09:44:38 MMPC sshd[20951]: Received disconnect from 58.218.198.168 port 51533:11: [preauth]
Jun 25 09:44:38 MMPC sshd[20951]: Disconnected from authenticating user root 58.218.198.168 port 51533 [preauth]
Jun 25 09:45:01 MMPC sshd[20983]: Failed password for root from 58.218.198.168 port 53625 ssh2
Jun 25 09:45:01 MMPC sshd[20983]: Failed password for root from 58.218.198.168 port 53625 ssh2
Jun 25 09:45:01 MMPC sshd[20983]: Failed password for root from 58.218.198.168 port 53625 ssh2
Jun 25 09:45:02 MMPC sshd[20983]: Received disconnect from 58.218.198.168 port 53625:11: [preauth]
Jun 25 09:45:02 MMPC sshd[20983]: Disconnected from authenticating user root 58.218.198.168 port 53625 [preauth]
Jun 25 09:45:26 MMPC sshd[21042]: Failed password for root from 58.218.198.168 port 61755 ssh2
Jun 25 09:45:26 MMPC sshd[21042]: Failed password for root from 58.218.198.168 port 61755 ssh2
Jun 25 09:45:26 MMPC sshd[21042]: Failed password for root from 58.218.198.168 port 61755 ssh2
Jun 25 09:45:27 MMPC sshd[21042]: Received disconnect from 58.218.198.168 port 61755:11: [preauth]
Jun 25 09:45:27 MMPC sshd[21042]: Disconnected from authenticating user root 58.218.198.168 port 61755 [preauth]
Jun 25 09:45:50 MMPC sshd[21094]: Failed password for root from 58.218.198.168 port 61991 ssh2
Jun 25 09:45:50 MMPC sshd[21094]: Failed password for root from 58.218.198.168 port 61991 ssh2
Jun 25 09:45:50 MMPC sshd[21094]: Failed password for root from 58.218.198.168 port 61991 ssh2
Jun 25 09:45:50 MMPC sshd[21094]: Received disconnect from 58.218.198.168 port 61991:11: [preauth]
Jun 25 09:45:50 MMPC sshd[21094]: Disconnected from authenticating user root 58.218.198.168 port 61991 [preauth]
Jun 25 09:46:15 MMPC sshd[21131]: Failed password for root from 58.218.198.168 port 18562 ssh2
Jun 25 09:46:15 MMPC sshd[21131]: Failed password for root from 58.218.198.168 port 18562 ssh2
Jun 25 09:46:15 MMPC sshd[21131]: Failed password for root from 58.218.198.168 port 18562 ssh2
Jun 25 09:46:15 MMPC sshd[21131]: Received disconnect from 58.218.198.168 port 18562:11: [preauth]
Jun 25 09:46:15 MMPC sshd[21131]: Disconnected from authenticating user root 58.218.198.168 port 18562 [preauth]
Jun 25 09:46:40 MMPC sshd[21183]: Failed password for root from 58.218.198.168 port 33124 ssh2
Jun 25 09:46:41 MMPC sshd[21183]: Failed password for root from 58.218.198.168 port 33124 ssh2
Jun 25 09:46:41 MMPC sshd[21183]: Failed password for root from 58.218.198.168 port 33124 ssh2
Jun 25 09:46:41 MMPC sshd[21183]: Received disconnect from 58.218.198.168 port 33124:11: [preauth]
Jun 25 09:46:41 MMPC sshd[21183]: Disconnected from authenticating user root 58.218.198.168 port 33124 [preauth]
Jun 25 09:47:06 MMPC sshd[21224]: Failed password for root from 58.218.198.168 port 45894 ssh2
Jun 25 09:47:06 MMPC sshd[21224]: Failed password for root from 58.218.198.168 port 45894 ssh2
Jun 25 09:47:06 MMPC sshd[21224]: Failed password for root from 58.218.198.168 port 45894 ssh2
Jun 25 09:47:06 MMPC sshd[21224]: Received disconnect from 58.218.198.168 port 45894:11: [preauth]
Jun 25 09:47:06 MMPC sshd[21224]: Disconnected from authenticating user root 58.218.198.168 port 45894 [preauth]

 

I am getting a ton of these, has anybody setup a good docker to block these after, let's say 5 or 10 invalid logins?

 

Thanks!

Edited by m4f1050
Link to comment
ken-ji Collaborator

ken-ji

Posted
Posted

First off shutdown your unRAID server, then reconfigure your router to not put the unRAID server on a DMZ ( or portforward the SSH port)

Then there's no problem anymore

 

But seriously - why is the unRAID server (or the SSH port) exposed to the internet at large?.

  • Upvote 1
Link to comment
pwm Community Regular

pwm

Posted
Posted

Any ssh server that is exposed should be configured to only support keys - never passwords.

 

The first time the scan programs are requested to supply a key, they will instantly disconnect and go looking for a different server.

 

And since internal machines can also be hacked and used as stepping stones to attack other machines, even internal ssh servers really should be configured to not allow password login.

 

Never design a system with just shell protection - assume that every machine around you are hostile.

Link to comment
  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing