[arm-allstar] Brute force root attack on node from China?

Doug Crompton wa3dsp at gmail.com
Mon Jul 2 09:21:24 EST 2018 

Glenn,

  I understand that this can be unnerving but a few failed attempts or even
scores assuming you have a good password is not going to make it in. SSH
only allows three failed attempts and then the session has to be restarted.
Also it should be pointed out that if you are using a router that you do
not have to forward the ssh port whatever it is if you do not intend to
control your system from outside of your LAN. I notice that many use less
than optimum passwords containing names or words rather than random
characters of upper/lower case letters, numbers, and special characters.


*73 Doug*

*WA3DSP*

*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*


On Mon, Jul 2, 2018 at 6:15 AM, "Glenn Morgon via arm-allstar" <
arm-allstar at hamvoip.org> wrote:

> To add, an easy way to view failed login attempts is through the command:
> ====
> last -f /var/log/btmp
> ====
>
> In my case I had a number of entries like these, from the same address:
> ====
> root     ssh:notty    118.186.17.9     Sun Jul  1 21:09 - 21:35  (00:25)
> root     ssh:notty    118.186.17.9     Sun Jul  1 20:44 - 21:09  (00:25)
> root     ssh:notty    118.186.17.9     Sun Jul  1 20:31 - 20:44  (00:12)
> root     ssh:notty    118.186.17.9     Sun Jul  1 20:19 - 20:31  (00:12)
> root     ssh:notty    118.186.17.9     Sun Jul  1 20:06 - 20:19  (00:12)
> ====
>
>
> On Mon, Jul 2, 2018 at 2:53 AM, Glenn Morgon <radion8hc at gmail.com> wrote:
>
> > I was digging through my Linux log and saw a lot of these in the log:
> > ====
> >
> > Jul 02 02:06:34 n8hc-47380 sshd[9371]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=118.186.17.9  user=root
> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Failed password for root from
> 118.186.17.9 port 33831 ssh2
> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Connection closed by 118.186.17.9
> port 33831 [preauth]
> > Jul 02 02:10:28 n8hc-47380 wpa_supplicant[294]: wlan0: WPA: Group
> rekeying completed with b8:8d:12:5f:a5:11 [GTK=CCMP]
> > Jul 02 02:19:33 n8hc-47380 sshd[9702]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=118.186.17.9  user=root
> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Failed password for root from
> 118.186.17.9 port 45437 ssh2
> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Connection closed by 118.186.17.9
> port 45437 [preauth]
> >
> > ====
> >
> > There are literally scores of these line entries in my log in the last
> > couple hours since I had reboot it.  All coming from 118.186.17.9, which
> > shows as being from China.
> >
> > Curious that the log reports the port as not being the actual ssh port I
> > have configured, although, when I ssh into my node it too shows a port
> that
> > is not the same port I am using.
> >
> > I ended up blocking further attempts by running the command:
> > ====
> >  iptables -A INPUT -s 118.186.17.0/24 -j DROP
> > ====
> > Although I think I'll change it to 118.186.0.0/16 as it appears all 256
> > nets are associated to China.  While I realize this doesn't address them
> > using a proxy, perhaps it will encourage them to seek out an easier
> target.
> >
> > I've got a couple of nodes on my network with forwarded custom ssh ports
> > but this is the only one they seem to have noticed at this point.
> >
> > So this is my PSA for using strong passwords and checking your logs now
> > and again.
> >
> > Glenn
> >
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list