-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Creighton wrote: > Just about every day, often several times a day, my logs include hours > of log entries that look like this: > > Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:40 raid5 sshd[6974]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:56 raid5 sshd[6981]: Invalid user test from 83.18.244.42 > Jul 16 00:36:01 raid5 sshd[6983]: Invalid user test from 83.18.244.42 > Jul 16 00:36:06 raid5 sshd[6985]: Invalid user webmaster from 83.18.244.42 > Jul 16 00:36:11 raid5 sshd[6987]: Invalid user username from 83.18.244.42 > Jul 16 00:36:16 raid5 sshd[6989]: Invalid user user from 83.18.244.42 > Jul 16 00:36:26 raid5 sshd[6994]: Invalid user admin from 83.18.244.42 > Jul 16 00:36:31 raid5 sshd[6996]: Invalid user test from 83.18.244.42 > Jul 16 00:36:51 raid5 sshd[7017]: Invalid user danny from 83.18.244.42 > Jul 16 00:36:56 raid5 sshd[7019]: Invalid user alex from 83.18.244.42 > Jul 16 00:37:01 raid5 sshd[7022]: Invalid user brett from 83.18.244.42 > Jul 16 00:37:06 raid5 sshd[7024]: Invalid user mike from 83.18.244.42 > Jul 16 00:37:12 raid5 sshd[7027]: Invalid user alan from 83.18.244.42 > Jul 16 00:37:18 raid5 sshd[7029]: Invalid user data from 83.18.244.42 > Jul 16 00:37:22 raid5 sshd[7031]: Invalid user www-data from 83.18.244.42 > Jul 16 00:37:28 raid5 sshd[7033]: Invalid user http from 83.18.244.42 > Jul 16 00:37:33 raid5 sshd[7037]: Invalid user httpd from 83.18.244.42 > Jul 16 00:37:38 raid5 sshd[7040]: Invalid user pop from 83.18.244.42 > > > ..... and so on, ad nausium. Obviously, someone is trying to break in > to my system via SSH. So far as I can tell from examining my logs and > my systems (usually at least 4 other systems on my LAN are under > simultaneous attacks from the same source(s), the daemon is > successsfully withstanding the assault and the system is not compromised. > > My question is what, if any firewall rule could I write that could > detect such attacks and automatically shut down forwarding packets from > the offending node or domain? That would give me an additional layer > of defense as well as freeing up a significant amount of log file space. > > Thanks in advance, > Richard
The first question is there any reason to have external ssh sessions. If external ssh are not required just block ssh at the external firewall. If there is a technical support reason for such access restrict external ssh access and login accounts to those accounts that require it (when they require it). If external ssh sessions are generally required consider setting up something like VPN and blocking non VPN access to ssh. The real problem starts when the attacker hits pay dirt, the entries I would worry about are the ones that are not in the log. The log sizes are a nuisance but with a bit of scripting and log management should be easy enough to keep under control. Also a knowledge of the account names the attack is being made upon could be an indicator of someone just fishing or something more dangerous. I looked briefly into this and tended to find that the purported addresses initiating the attacks tended not to repeat in the logs I examined. So address harvesting was not really an effective option. A difficulty here if external ssh is allowed, is distinguishing between an attack and someone genuinely getting a bit confused about their username. One may end up blocking legitimate addresses as a result. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGmzQ+asN0sSnLmgIRAkRPAKCC3302p5UnV+NlhjYokcHDeD3/JACg9c/r VjEdndKZ5vZ0qHkOR2LPzXs= =Lzoy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
