[arm-allstar] Brute force root attack on node from China?

Glenn Morgon radion8hc at gmail.com
Mon Jul 2 05:15:41 EST 2018 

To add, an easy way to view failed login attempts is through the command:
====
last -f /var/log/btmp
====

In my case I had a number of entries like these, from the same address:
====
root     ssh:notty    118.186.17.9     Sun Jul  1 21:09 - 21:35  (00:25)
root     ssh:notty    118.186.17.9     Sun Jul  1 20:44 - 21:09  (00:25)
root     ssh:notty    118.186.17.9     Sun Jul  1 20:31 - 20:44  (00:12)
root     ssh:notty    118.186.17.9     Sun Jul  1 20:19 - 20:31  (00:12)
root     ssh:notty    118.186.17.9     Sun Jul  1 20:06 - 20:19  (00:12)
====


On Mon, Jul 2, 2018 at 2:53 AM, Glenn Morgon <radion8hc at gmail.com> wrote:

> I was digging through my Linux log and saw a lot of these in the log:
> ====
>
> Jul 02 02:06:34 n8hc-47380 sshd[9371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.9  user=root
> Jul 02 02:06:36 n8hc-47380 sshd[9371]: Failed password for root from 118.186.17.9 port 33831 ssh2
> Jul 02 02:06:36 n8hc-47380 sshd[9371]: Connection closed by 118.186.17.9 port 33831 [preauth]
> Jul 02 02:10:28 n8hc-47380 wpa_supplicant[294]: wlan0: WPA: Group rekeying completed with b8:8d:12:5f:a5:11 [GTK=CCMP]
> Jul 02 02:19:33 n8hc-47380 sshd[9702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.186.17.9  user=root
> Jul 02 02:19:35 n8hc-47380 sshd[9702]: Failed password for root from 118.186.17.9 port 45437 ssh2
> Jul 02 02:19:35 n8hc-47380 sshd[9702]: Connection closed by 118.186.17.9 port 45437 [preauth]
>
> ====
>
> There are literally scores of these line entries in my log in the last
> couple hours since I had reboot it.  All coming from 118.186.17.9, which
> shows as being from China.
>
> Curious that the log reports the port as not being the actual ssh port I
> have configured, although, when I ssh into my node it too shows a port that
> is not the same port I am using.
>
> I ended up blocking further attempts by running the command:
> ====
>  iptables -A INPUT -s 118.186.17.0/24 -j DROP
> ====
> Although I think I'll change it to 118.186.0.0/16 as it appears all 256
> nets are associated to China.  While I realize this doesn't address them
> using a proxy, perhaps it will encourage them to seek out an easier target.
>
> I've got a couple of nodes on my network with forwarded custom ssh ports
> but this is the only one they seem to have noticed at this point.
>
> So this is my PSA for using strong passwords and checking your logs now
> and again.
>
> Glenn
>

More information about the arm-allstar mailing list