[net] user connction to sshd
jeff at neobox.net
Sat Jul 9 23:05:52 MDT 2005
> We noticed yesterday that there were a number of connections to the
> SSH daemon running on a test box we had running outside our firewall
> (running RH 8.0!). The connections were from someplace in Florida,
> and someplace in Germany (we think).
Welcome to the exciting world of SSH exploit attempts! :)
I've found that any time I have an SSH server running on the internet,
it's absolutely bombarded with repeated crack attempts using random
(but fairly predictable) usernames. Here's a sample from today's log:
Jul 9 18:26:15 [sshd] Invalid user httpd from ::ffff:220.127.116.11
Jul 9 18:26:17 [sshd] Invalid user alex from ::ffff:18.104.22.168
Jul 9 18:26:21 [sshd] Invalid user brett from ::ffff:22.214.171.124
Jul 9 18:54:14 [sshd] Invalid user test from ::ffff:126.96.36.199
Jul 9 18:54:18 [sshd] Invalid user guest from ::ffff:188.8.131.52
Jul 9 18:54:21 [sshd] Invalid user admin from ::ffff:184.108.40.206
It goes on for thousands of entries. The pattern I've seen is anywhere
from a dozen to a couple hundred attempts from the same remote box. I
can only assume these are compromised 'bots running automated shell
scripts in hopes of hitting the jackpot.
There are several solutions. Off the top of my head:
1) The best would be to lock down port 22 to only allow connections from
known IP's, but in many cases (like mine) I need to allow worldwide
access because I have clients who are pretty much anywhere.
2) It would be clever and effective to have some process running on your
server, and when it detected multiple failed SSH login attempts, it
would add a rule to a running iptables ruleset to block that IP. This
is reactive, rather than proactive, but stops repeated hits from the
same place. I imagine after a few days you'd have an impressive
3) The lazy man's solution (mine, heh) is to have usernames that are a
bit harder to guess (e.g., "jschroed" instead of "jeff") and ensure
that passwords are strong. Of particular importance is the "root"
password, which should be "unguessable" and probably changed regularly.
Note that you can configure SSH to refuse root access altogether, which
is a wise move.
Anyway, the bottom line is that you're not seeing anything out of the
ordinary, and you should expect it to continue. Just follow some
common-sense strategies to secure the box, and you'll be fine.
Whee, ain't the internet fun? ;)
More information about the PLUG