[arm-allstar] Brute force root attack on node from China?

Sean McCarthy smccarthy61 at gmail.com
Tue Jul 3 11:45:46 EST 2018 

I use public key authentication for ssh and disable root password. Sleep
well at night...

On Tue, Jul 3, 2018 at 1:41 AM "Doug Crompton via arm-allstar" <
arm-allstar at hamvoip.org> wrote:

> I am not sure what this has to do with hamvoip allstar. We use port 222 for
> ssh by default but you can change it to whatever you want. If you do
> preferably a hi port like 23222 or 17222 or something else you pick. But
> remember protecting by obfuscation of the port is poor security. Better
> than nothing but poor. At least you will not be hit constantly like you
> would on port 22. A good password is the best security.  At least 10 random
> characters of mixed upper/lower letters, numbers, and special characters.
> Using a good password and the way ssh works it would take a very long time,
> probably much longer than your lifetime to break it assuming a constant try
> 24/7!
>
>
> *73 Doug*
>
> *WA3DSP*
>
> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
>
>
>
> On Mon, Jul 2, 2018 at 10:27 PM, "Jim Kinter Jr. via arm-allstar" <
> arm-allstar at hamvoip.org> wrote:
>
> > Hi Glenn.
> > On any/every linux box that I admin, that is connected to the outside
> > world, I move the port the SSH daemon listens to from port 22 to port 24.
> > 24 is an unassigned port (rarely if ever used), and script kiddies
> usually
> > dont port scan first, their scripts are designed just to attack IP's at
> 22.
> > You may also need to change it in IPTABLES, to  now allow 24 and block
> 22.
> >
> > Usually this change is made in the SSH daemon config file,
> > (/etc/ssh/sshd.conf) usually marked with "Listen 22" or listen = 22, just
> > change 22 to 24, save/exit, and restart sshd. Not even a reboot required
> > (but would work too).
> >
> > You move the door from where they expect it to be and they cant find it.
> >
> > Just remember to reset any SSH software you use (Putty, etc) to use 24
> > from the default 22 when talking to your unit.
> >
> > 73
> > Jim
> > K5KTF
> >
> > At 05:15 AM 7/2/2018, you wrote:
> >
> >> To add, an easy way to view failed login attempts is through the
> command:
> >> ====
> >> last -f /var/log/btmp
> >> ====
> >>
> >> In my case I had a number of entries like these, from the same address:
> >> ====
> >> root     ssh:notty    118.186.17.9     Sun Jul  1 21:09 - 21:35  (00:25)
> >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:44 - 21:09  (00:25)
> >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:31 - 20:44  (00:12)
> >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:19 - 20:31  (00:12)
> >> root     ssh:notty    118.186.17.9     Sun Jul  1 20:06 - 20:19  (00:12)
> >> ====
> >>
> >>
> >> On Mon, Jul 2, 2018 at 2:53 AM, Glenn Morgon <radion8hc at gmail.com>
> wrote:
> >>
> >> > I was digging through my Linux log and saw a lot of these in the log:
> >> > ====
> >> >
> >> > Jul 02 02:06:34 n8hc-47380 sshd[9371]: pam_unix(sshd:auth):
> >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=118.186.17.9  user=root
> >> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Failed password for root from
> >> 118.186.17.9 port 33831 ssh2
> >> > Jul 02 02:06:36 n8hc-47380 sshd[9371]: Connection closed by
> >> 118.186.17.9 port 33831 [preauth]
> >> > Jul 02 02:10:28 n8hc-47380 wpa_supplicant[294]: wlan0: WPA: Group
> >> rekeying completed with b8:8d:12:5f:a5:11 [GTK=CCMP]
> >> > Jul 02 02:19:33 n8hc-47380 sshd[9702]: pam_unix(sshd:auth):
> >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=118.186.17.9  user=root
> >> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Failed password for root from
> >> 118.186.17.9 port 45437 ssh2
> >> > Jul 02 02:19:35 n8hc-47380 sshd[9702]: Connection closed by
> >> 118.186.17.9 port 45437 [preauth]
> >> >
> >> > ====
> >> >
> >> > There are literally scores of these line entries in my log in the last
> >> > couple hours since I had reboot it.  All coming from 118.186.17.9,
> which
> >> > shows as being from China.
> >> >
> >> > Curious that the log reports the port as not being the actual ssh
> port I
> >> > have configured, although, when I ssh into my node it too shows a port
> >> that
> >> > is not the same port I am using.
> >> >
> >> > I ended up blocking further attempts by running the command:
> >> > ====
> >> >  iptables -A INPUT -s 118.186.17.0/24 -j DROP
> >> > ====
> >> > Although I think I'll change it to 118.186.0.0/16 as it appears all
> 256
> >> > nets are associated to China.  While I realize this doesn't address
> them
> >> > using a proxy, perhaps it will encourage them to seek out an easier
> >> target.
> >> >
> >> > I've got a couple of nodes on my network with forwarded custom ssh
> ports
> >> > but this is the only one they seem to have noticed at this point.
> >> >
> >> > So this is my PSA for using strong passwords and checking your logs
> now
> >> > and again.
> >> >
> >> > Glenn
> >> >
> >> _______________________________________________
> >>
> >> arm-allstar mailing list
> >> arm-allstar at hamvoip.org
> >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >>
> >> Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >>
> >
> >
> > 73
> > Jim Kinter, Jr. K5KTF
> > Cedar Park TX
> > Webmaster
> >         <http://www.broadband-hamnet.org/>www.Broadband-Hamnet.org
> >         www.CTDXCC.org
> >         <http://www.austinsummerfest.org/>www.AustinSummerfest.org
> > Williamson County ARES
> >         2010/11/15/16/17/18 Board Member/AEC BBHN
> > Travis County ARES
> >         Member
> > ARRL
> >         Field Instructor/Field Examiner/VE Liaison
> > W5YI VE # 34031E
> > NWS Skywarn Spotter
> > Lone Star Spotter Network Member
> >
> > _______________________________________________
> >
> > arm-allstar mailing list
> > arm-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3 web page - http://hamvoip.org
> >
> _______________________________________________
>
> arm-allstar mailing list
> arm-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3 web page - http://hamvoip.org
>

More information about the arm-allstar mailing list