Odd ssh attacks?

[Art Edwards]

Chris wrote:
> Is anyone seeing this in /var/log/auth.log ?
> 
> Apr 21 14:32:17 racerx sshd[16985]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=6a.5d.1343.static.theplanet.com  user=root
> Apr 21 14:32:20 racerx sshd[16985]: Failed password for root from
> 67.19.93.106 port 57194 ssh2
> Apr 21 14:32:20 racerx sshd[16987]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser=
> rhost=6a.5d.1343.static.theplanet.com  user=root
> Apr 21 14:32:22 racerx sshd[16987]: Failed password for root from
> 67.19.93.106 port 57590 ssh2
> 
> 
I just noticed the same sort of traffic and I'm in the middle of
tightening things up. I just installed fail2ban. the jail.conf file is
where you can specify the maximum number of times an IP address can ask
for entry, as well as the timeout period until that IP can try again.

Two other things you can do (I'm doing these,FWIW)

1. For each IP address you encounter, you can set up a stanza in you
iptables firewall.

For example,
$IPTABLES -I INPUT -s 203.127.160.155 -j DROP

where I have defined
IPTABLES=/sbin/iptables

This stanza inserts a rule that any traffic originating from
203.127.160.155 is dropped. This is the safer option because it
generates no response to the attacker.

2. You can actively pursue cutting them out. If you install whois, you
can find out what ISP hold the IP address, along with email addresses to
which you can report abuse. I started that last night and had a roughly
50% response rate. The ISP's are glad to know about the abuse and seem
agressive about responding. I also did some googling and found that some
of the IP addresses have a history of attacks. I even found a website
that displays the blocked IP addresses of an Asian ISP. I'm inserting
all of those into my firewall.

HTH

Art Edwards