[arm-allstar] Brute force root attack on node from China?

Jim Kinter Jr. Jim at k5ktf.com
Mon Jul 2 21:27:01 EST 2018 

Hi Glenn.
On any/every linux box that I admin, that is connected to the outside 
world, I move the port the SSH daemon listens to from port 22 to port 24.
24 is an unassigned port (rarely if ever used), and script kiddies 
usually dont port scan first, their scripts are designed just to 
attack IP's at 22.
You may also need to change it in IPTABLES, to  now allow 24 and block 22.

Usually this change is made in the SSH daemon config file, 
(/etc/ssh/sshd.conf) usually marked with "Listen 22" or listen = 22, 
just change 22 to 24, save/exit, and restart sshd. Not even a reboot 
required (but would work too).

You move the door from where they expect it to be and they cant find it.

Just remember to reset any SSH software you use (Putty, etc) to use 
24 from the default 22 when talking to your unit.

73
Jim
K5KTF

At 05:15 AM 7/2/2018, you wrote:
>To add, an easy way to view failed login attempts is through the command:
>====
>last -f /var/log/btmp
>====
>
>In my case I had a number of entries like these, from the same address:
>====
>root     ssh:notty    118.186.17.9     Sun Jul  1 21:09 - 21:35  (00:25)
>root     ssh:notty    118.186.17.9     Sun Jul  1 20:44 - 21:09  (00:25)
>root     ssh:notty    118.186.17.9     Sun Jul  1 20:31 - 20:44  (00:12)
>root     ssh:notty    118.186.17.9     Sun Jul  1 20:19 - 20:31  (00:12)
>root     ssh:notty    118.186.17.9     Sun Jul  1 20:06 - 20:19  (00:12)
>====
>
>
>On Mon, Jul 2, 2018 at 2:53 AM, Glenn Morgon <radion8hc at gmail.com> wrote:
>
> > I was digging through my Linux log and saw a lot of these in the log:
> > ====
> >
> > Jul 02 02:06:34 n8hc-47380 sshd[9371]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=118.186.17.9  user=root
> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Failed password for root 
> from 118.186.17.9 port 33831 ssh2
> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Connection closed by 
> 118.186.17.9 port 33831 [preauth]
> > Jul 02 02:10:28 n8hc-47380 wpa_supplicant[294]: wlan0: WPA: Group 
> rekeying completed with b8:8d:12:5f:a5:11 [GTK=CCMP]
> > Jul 02 02:19:33 n8hc-47380 sshd[9702]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=118.186.17.9  user=root
> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Failed password for root 
> from 118.186.17.9 port 45437 ssh2
> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Connection closed by 
> 118.186.17.9 port 45437 [preauth]
> >
> > ====
> >
> > There are literally scores of these line entries in my log in the last
> > couple hours since I had reboot it.  All coming from 118.186.17.9, which
> > shows as being from China.
> >
> > Curious that the log reports the port as not being the actual ssh port I
> > have configured, although, when I ssh into my node it too shows a port that
> > is not the same port I am using.
> >
> > I ended up blocking further attempts by running the command:
> > ====
> >  iptables -A INPUT -s 118.186.17.0/24 -j DROP
> > ====
> > Although I think I'll change it to 118.186.0.0/16 as it appears all 256
> > nets are associated to China.  While I realize this doesn't address them
> > using a proxy, perhaps it will encourage them to seek out an easier target.
> >
> > I've got a couple of nodes on my network with forwarded custom ssh ports
> > but this is the only one they seem to have noticed at this point.
> >
> > So this is my PSA for using strong passwords and checking your logs now
> > and again.
> >
> > Glenn
> >
>_______________________________________________
>
>arm-allstar mailing list
>arm-allstar at hamvoip.org
>http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
>Visit the BBB and RPi2/3 web page - http://hamvoip.org


73
Jim Kinter, Jr. K5KTF
Cedar Park TX
Webmaster
         <http://www.broadband-hamnet.org/>www.Broadband-Hamnet.org
         www.CTDXCC.org
         <http://www.austinsummerfest.org/>www.AustinSummerfest.org
Williamson County ARES
         2010/11/15/16/17/18 Board Member/AEC BBHN
Travis County ARES
         Member
ARRL
         Field Instructor/Field Examiner/VE Liaison
W5YI VE # 34031E
NWS Skywarn Spotter
Lone Star Spotter Network Member

More information about the arm-allstar mailing list