Wednesday, May 22, 2013

SSH Brute Force Attempts

I found an interesting entry in the output of the netstat utility while trying to see the actively running services on an Amazon VM running CentOS.

netstat -pant
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 0.0.0.0:27017               0.0.0.0:*                   LISTEN      996/mongod         
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1017/nginx         
tcp        0      0 0.0.0.0:28017               0.0.0.0:*                   LISTEN      996/mongod         
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      858/sshd           
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      803/cupsd          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      952/master         
tcp        0     48 10.204.214.243:22           173.203.XXX.XXX:43344        ESTABLISHED 21748/sshd         
tcp        0    784 10.204.214.243:22           218.109.6.241:56570         ESTABLISHED 25742/sshd
    
 


The IP in the last line clearly isn't one I own. I did a quick IP2Location lookup and it is a Chinese IP address.
I did a Google search to learn more about what this IP is up to from the system logs and came across the 3 commands below.

grep -ir ssh /var/log/*
grep -ir breakin /var/log/*
grep -ir security /var/log/*
 
Running the first command on 2 different servers (CentOS and Ubuntu respectively) revealed loads of automated attempts at breaking into the servers I tried the command on.
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23741]: Invalid user server from 218.109.6.241
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23745]: input_userauth_request: invalid user server
/var/log/secure:May 22 08:05:00 ip-10-204-214-243 sshd[23745]: Received disconnect from 218.109.6.241: 11: Bye Bye
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23747]: Invalid user share from 218.109.6.241
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23751]: input_userauth_request: invalid user share
/var/log/secure:May 22 08:05:02 ip-10-204-214-243 sshd[23751]: Received disconnect from 218.109.6.241: 11: Bye Bye

/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18376]: Failed password for invalid user test1 from 198.23.229.207 port 44166 ssh2
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: Address 198.23.229.207 maps to host.colocrossing.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: Invalid user test1 from 198.23.229.207
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: pam_unix(sshd:auth): check pass; user unknown
/var/log/auth.log:May 22 04:43:08 ejeboo sshd[18378]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.23.229.207
/var/log/auth.log:May 22 04:43:11 ejeboo sshd[18378]: Failed password for invalid user test1 from 198.23.229.207 port 44599 ssh2
/var/log/auth.log:May 22 04:43:11 ejeboo sshd[18380]: Address 198.23.229.207 maps to host.colocrossing.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!


It's a sad world out there :(
 


No comments:

Post a Comment