[arm-allstar] NOTICE for user's with public ssh on port 222

Al Beard beardal at unixservice.com.au
Sun Apr 5 18:42:21 EDT 2020


Hi all,

Blocking IP addresses for Failed logins.

On my Linux box here, I've been running this for years, no decades.
(run from cron hourly)
2 * * * * /usr/local/bin/checksshd.sh > /dev/null 2>&1

It looks at the logs, the last 1000 lines, sorts the list so if there
are several hackers, their IP addresses will be grouped. If any IP
address has failed logins more than five times, it is blocked.

My script needs to be modified to put the temp files into one of the
"tempfs" filesystems so as not to write on the SD card. 

Here is a typical Reject list:
[root at linux1 rej]# cat rej_ssh.lst
     12 103.10.30.207
      2 104.131.190.193
      9 111.229.48.141
      2 148.70.187.205
     14 152.168.242.103
      3 176.31.253.204
     10 181.189.144.206
     16 189.18.243.210
     14 218.85.119.92
      3 218.92.0.158
      3 218.92.0.172
      6 218.92.0.184
      3 222.186.169.192
      5 222.186.173.201
      3 222.186.173.226
      3 222.186.175.140
      3 222.186.175.148
      3 222.186.175.163
      3 222.186.175.167
      6 222.186.175.215
      2 222.186.180.6
      6 45.119.212.125
      1 61.177.172.128
# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.20.1    0.0.0.0         UG        0 0          0 
enp0s31f6
45.119.212.125  -               255.255.255.255 !H        - -          - -
103.10.30.207   -               255.255.255.255 !H        - -          - -
111.229.48.141  -               255.255.255.255 !H        - -          - -
152.168.242.103 -               255.255.255.255 !H        - -          - -
181.189.144.206 -               255.255.255.255 !H        - -          - -
189.18.243.210  -               255.255.255.255 !H        - -          - -
192.168.20.0    0.0.0.0         255.255.255.0   U         0 0          0 
enp0s31f6
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
218.85.119.92   -               255.255.255.255 !H        - -          - -
218.92.0.184    -               255.255.255.255 !H        - -          - -
222.186.173.201 -               255.255.255.255 !H        - -          - -
222.186.175.215 -               255.255.255.255 !H        - -          - -

Keep smiling

Alan VK2ZIW

On Sun, 5 Apr 2020 11:29:21 -0400 (EDT), \"David McGough via ARM-allstar\" 
wrote
> Hi Everyone,
> 
> Over the recent weeks there has been a HUGE increase in Internet hacking
> attempts targeting ALL Internet visible ssh servers on ports 22, 222 
> and other ports ending in "22."
> 
> In general, this hacking is unsuccessful at gaining system access,
> assuming that you used a good quality root password!  However, while 
> not gaining system access, this hacking can still generate a Denial 
> of Service condition for users. The way it does this is by filling 
> up logfiles (e.g.:  /var/log/btmp), causing filesystem out-of-space 
> related errors. Hacking can also cause audio quality problems 
> (dropped packets) due to the shear volume of hacking related network 
> traffic.
> 
> Fortunately, there are some simple solutions. First, if you don't really
> need ssh visible to the Internet, just block ssh access at your Internet
> router.
> 
> A Second method is to change the ssh port from 222 to some obscure port;
> maybe like: 19876. While "hiding" the port isn't considered the best
> strategy, is does work very effectively FOR NOW, remembering that 
> hackers continually adapt their techniques.
> 
> Third, to help mitigate this issue no matter what ssh port you use, we're
> adding some very lightweight tools to HamVoIP to monitor various files
> (e.g.:  /var/log/btmp) and automatically block hacking attempts 
> using iptables. This code is being tested now and will be released 
> soon. More details to follow about this.
> 
> Stay home and stay healthy!
> 
> 73, David KB4FXC
> 
> _______________________________________________
> 
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org


---------------------------------------------------
Alan Beard

OpenWebMail 2.53



More information about the ARM-allstar mailing list