ssh attack

Bob La Quey Sat, 23 Aug 2008 16:59:14 -0700

I appear to have had a ssh attack on my linode.com box.

The auth.log has many lines of this sort of thing:


Aug 23 11:23:54 ubuntu sshd[13108]: Failed password for invalid user
calisto from 210.143.97.153 port 33742 ssh2
Aug 23 11:23:56 ubuntu sshd[13110]: Invalid user calixta from 210.143.97.153
Aug 23 11:23:56 ubuntu sshd[13110]: pam_unix(sshd:auth): check pass;
user unknown
Aug 23 11:23:56 ubuntu sshd[13110]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ns.trts.jp
Aug 23 11:23:58 ubuntu sshd[13110]: Failed password for invalid user
calixta from 210.143.97.153 port 33861 ssh2
Aug 23 11:23:59 ubuntu sshd[13112]: Invalid user cande from 210.143.97.153
Aug 23 11:23:59 ubuntu sshd[13112]: pam_unix(sshd:auth): check pass;
user unknown
Aug 23 11:23:59 ubuntu sshd[13112]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ns.trts.jp

The thing that concerns me is DOS. I noticed this first because my cpu
was running near 95% for several hours while I was not logged in and
no one was accessing Apache via http.

It does not take much to load up this linode since it is the smallest
offering and runs under Xen.

What is my best response to this? Note that I need to ssh in from
points unknown so whitelisting is not really an option.

OBTW, I have attacks like this of varying severity from several IPs
that whois to China, one from Poland and one from Chile. I suppose
this is common but my ignorance is near total.
=======================================================
whois 210.143.97.153

[ JPNIC database provides information regarding IP address and ASN. Its use   ]
[ is restricted to network administration purposes. For further information,  ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]

Network Information:
a. [Network Number]             210.143.96.0/22
b. [Network Name]               PROX
g. [Organization]               Prox System Design Inc.
m. [Administrative Contact]     TN6639JP
n. [Technical Contact]          TN6639JP
p. [Nameserver]                 dns1.ixent.ne.jp/210.143.97.0-210.143.99.255
p. [Nameserver]                 dns2.ixent.ne.jp/210.143.97.0-210.143.99.255
p. [Nameserver]                 ns.prox.ne.jp/210.143.96.0-210.143.96.255
p. [Nameserver]                 ns2.prox.ne.jp/210.143.96.0-210.143.96.255
[Assigned Date]                 1998/06/18
[Return Date]
[Last Update]                   2008/07/22 19:05:09(JST)

Less Specific Info.
----------
PROX SYSTEM DESIGN INC.
                     [Allocation]                              210.143.96.0/22

More Specific Info.
----------
No match!!
===============================================

Comments,

BobLQ


-- 
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list

ssh attack

Reply via email to