Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Blocking root brut force

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
User avatar
robbo007
Posts: 95
Joined: 2009-05-18 11:24

Blocking root brut force

#1 Post by robbo007 »

Hiya all,

I've got loads of brute force attempts in my logwatch log. I use fail2ban but does not look like its applying the rules correctly.

Can someone help out?

I've got in the /etc/fail2ban/jail.conf y sshd.conf

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6


failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$



The root brute force attempts are logged here:

Jun 17 11:30:01 sosaria CRON[25921]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:30:01 sosaria CRON[25922]: pam_unix(cron:session): session closed for user root
Jun 17 11:30:01 sosaria CRON[25921]: pam_unix(cron:session): session closed for user root
Jun 17 11:30:02 sosaria CRON[25920]: pam_unix(cron:session): session closed for user root
Jun 17 11:33:36 sosaria CRON[25919]: pam_unix(cron:session): session closed for user root
Jun 17 11:35:01 sosaria CRON[26082]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:35:02 sosaria CRON[26082]: pam_unix(cron:session): session closed for user root
Jun 17 11:39:01 sosaria CRON[26153]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:39:01 sosaria CRON[26153]: pam_unix(cron:session): session closed for user root
Jun 17 11:40:01 sosaria CRON[26168]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:40:01 sosaria CRON[26168]: pam_unix(cron:session): session closed for user root
Jun 17 11:45:01 sosaria CRON[26244]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:45:01 sosaria CRON[26244]: pam_unix(cron:session): session closed for user root
Jun 17 11:50:01 sosaria CRON[26338]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:50:01 sosaria CRON[26338]: pam_unix(cron:session): session closed for user root
Jun 17 11:51:19 sosaria sshd[26373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.209.171.162 user=root
Jun 17 11:51:22 sosaria sshd[26373]: Failed password for root from 115.209.171.162 port 56229 ssh2
Jun 17 11:52:16 sosaria sshd[26384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.199.52.73 user=root
Jun 17 11:52:18 sosaria sshd[26384]: Failed password for root from 121.199.52.73 port 33520 ssh2
Jun 17 11:55:01 sosaria CRON[26426]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:55:02 sosaria CRON[26426]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:01 sosaria CRON[26507]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26506]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26504]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26505]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26507]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:01 sosaria CRON[26506]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:03 sosaria CRON[26505]: pam_unix(cron:session): session closed for user root
Jun 17 12:03:34 sosaria CRON[26504]: pam_unix(cron:session): session closed for user root
Jun 17 12:05:01 sosaria CRON[26662]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:05:01 sosaria CRON[26662]: pam_unix(cron:session): session closed for user root
Jun 17 12:09:01 sosaria CRON[26750]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:09:01 sosaria CRON[26750]: pam_unix(cron:session): session closed for user root
Jun 17 12:10:01 sosaria CRON[26781]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:10:01 sosaria CRON[26781]: pam_unix(cron:session): session closed for user root
Jun 17 12:10:51 sosaria sshd[26812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:10:53 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:10:55 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:10:58 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:00 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:03 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:06 sosaria sshd[26812]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:07 sosaria sshd[26823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:09 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:11 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:14 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:15 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:18 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:20 sosaria sshd[26823]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:20 sosaria sshd[26825]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:22 sosaria sshd[26825]: Failed password for root from 91.224.160.39 port 44559 ssh2
Jun 17 12:11:24 sosaria sshd[26825]: Failed password for root from 91.224.160.39 port 44559 ssh2

My logwatch report:

Failed logins from:
5.189.144.15 (vmi74005.contabo.host): 1608 times
root/password: 1591 times
nobody/password: 3 times
backup/password: 2 times
ftp/password: 2 times
mysql/password: 2 times
sshd/password: 2 times
sync/password: 2 times
games/password: 1 time
mail/password: 1 time
news/password: 1 time
www-data/password: 1 time
54.67.14.28 (ec2-54-67-14-28.us-west-1.compute.amazonaws.com): 60 times
root/password: 60 times
91.201.236.158: 73 times
root/password: 73 times
91.224.160.10: 24 times
root/password: 24 times
103.207.36.136: 2 times
root/password: 2 times
113.57.232.34: 1 time
root/password: 1 time
187.141.5.177 (lan-d32-0806-1134.uninet-ide.com.mx): 10 times
root/password: 9 times
ftp/password: 1 time
190.214.44.21 (mail.19d04.mspz7.gob.ec): 79 times
root/password: 79 times
201.249.231.59 (201-249-231-59.estatic.cantv.net): 3 times
root/password: 3 times
212.83.145.18 (212-83-145-18.rev.poneytelecom.eu): 2 times
root/password: 2 times
212.83.148.113 (212-83-148-113.rev.poneytelecom.eu): 2 times
root/password: 2 times
212.129.61.148 (212-129-61-148.rev.poneytelecom.eu): 6 times
root/password: 4 times
ftp/password: 2 times
217.144.201.243 (static-201-243.is.net.pl): 713 times
root/password: 713 times

Thanks,
Rob

day
Posts: 56
Joined: 2015-03-03 00:00

Re: Blocking root brut force

#2 Post by day »

use a different port than 22

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Blocking root brut force

#3 Post by GarryRicketson »

It would be nice if the OP would use code boxes.
http://forums.debian.net/viewtopic.php?f=16&t=123831

A lot of these that the OP shows, are common bots and they constantly
go from site to site , trying to access them, the main thing is , that they do
not succeed.
I noticed this 1, and there are other the OP show, but it is to much trouble
trying to read them,with out code boxes:

From the list posted by the OP:

Code: Select all

54.67.14.28 (ec2-54-67-14-28.us-west-1.compute.amazonaws.com): 60 times
For example, on this, why do you allow it to stay connected and try 60 times ?
It should be blocked, and simply not allowed any access.
It should not even be getting a chance to try login. They are
known to be "bad".


Example, from my logs, :

Code: Select all

 #: 28872 @: Thu, 16 Jun 2016 03:25:39 -0700 Running: 0.4.10a3 / 75d
Host: ec2-54-82-97-53.compute-1.amazonaws.com
IP: 54.82.97.53
Score: 1
Violation count: 1 
Why blocked: Amazon Web Services. Not an access provider ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories (CLD-0AMZ). Checked for bypass - 
Query: 
Referer: 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 
==============================

User avatar
robbo007
Posts: 95
Joined: 2009-05-18 11:24

Re: Blocking root brut force

#4 Post by robbo007 »

How can I stop it connecting 60 times? In fail2ban its set to 6. But I think its not catching it as the ports are not 22. They are using a different port each time.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Blocking root brut force

#5 Post by GarryRicketson »

I am not much of a expert at all on this, so can't say much,..
How ever there are some "experts" here , or used to be,
http://spambotsecurity.com/
And this forum:
http://www.spambotsecurity.com/forum/

All thought it says "spambot security" , they do go beyond just spam bots.
A lot may depend on and need some better details, about your server,
if it is a "production" server ? ,...
I am assuming it is online, ..these kind of attempts would not be seen on a
"local host" server, that is not online (internet).

Security is a pretty complex subject, also I really have never used "failtoban", all though
I have heard of it and seen it mentioned quite often.
This might be a good place to start,
https://www.debian.org/doc/manuals/secu ... 10.en.html

https://debian-administration.org/artic ... ess_secure

and this:
https://www.digitalocean.com/community/ ... n-debian-7

I have to go out, for some errands, and can not say any more just now, maybe some
one else will have more details,..
There are data bases , that have lists, of most of the IPs and ISPs that you need to be blocking, that is why I like the "ZBBLOCK" script, it access them, and checks, and then
if it is listed, it gets blocked,.. some searches may also be of help to you,.. I will try to get back later on this.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Blocking root brut force

#6 Post by pylkko »

No firewall? Block all ports except ssh 22 if that is what you need. Move ssh to another port and block root logons entirely.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Blocking root brut force

#7 Post by dasein »

pylkko wrote:...block root logons entirely.
+1

Having a password-based root login available is going to make your machine a target, period.

Two options:

1) Disable root logins and use su. That way:

- There's no "known" user name (i.e. "root") for attackers to try to hack
- An attacker has to be able to compromise TWO passwords not just
one, in order to wreak root-level havoc on your machine

2) Better still: use passwordless key-based login if at all practical.

tl;dr: Having a machine on the interwebs with remote root login available is a stunningly bad idea.

Post Reply