Hacking attempt?

Just looking at /var/log/messages and I see it riddled with this pattern:

2017-07-21T00:40:51+10:00 info sshd[1093]: Failed password for root from 116.31.116.23 port 44170 ssh2
2017-07-21T10:40:53+10:00 info sshd[23659]: Last message 'Failed password for ' repeated 2 times, suppressed by syslog-ng on Cerberus.lan
2017-07-21T00:40:53+10:00 info sshd[1093]: Received disconnect from 116.31.116.23 port 44170:11:  [preauth]
2017-07-21T00:40:53+10:00 info sshd[1093]: Disconnected from 116.31.116.23 port 44170 [preauth]

I can see from:

network-tools.com/default.asp?prog=express&host=116.31.116.23

That this is apparently an IP address in China. To wit, am I to conclude some is trying to hack my router? Shall turn of ssh from WAN for now. But wonder if anyone else has seen something like this. Looks like a repeated password search effort.

I think it is very insecure to have opened SSH to the Internet via WAN port directly.
It is better to use the OpenVPN connection to the router and SSH via VPN.

I have never seen this on my router yet, because I have only SSH honeypot on my router’s port 22.

Yeah, I know that ;-). It’s closed now. Well I use the firewall and currently allow it from my work PC still, but may look at OpenVPN indeed.

My curiosity remains. If anyone has seen anything like that and if so, what tools we might have to try and pin down where that IP is geographically a little better than just “China”. Nice to imagine sending the boys round … but I guess it’s not easy to do without some serious ISP cooperation.

Yes that’s very normal behavior once you plug anything to real internet (e.g. without NAT) that happens every few minutes. Try install Windows NT or Windows XP and plug it to real internet address, it will be hacked before installation complete.

1 Like

That bad? Is there like a Chinese bot scanning IPs and port 22s and then running John the Ripper on it?

I mean there a squidzillion legit open SSH ports for internet access out there, I use them on web hosts all the time. Are these seriously day in day out drawing password crack traffic to them?

Yes, but not only Chinese as I wrote it is very common behavior and you can actually download programs that can do this. If you have Synology NAS it got feautere autoban as it will ban IP address after 5 wrong login attempts.

It’s called fail2ban. It’s available almost on all Linux distributions: https://www.fail2ban.org/wiki/index.php/Main_Page

But as somebody said It’s good to use SSH honeypot on Turris. :slight_smile:
More informations are on wiki:
https://www.turris.cz/doc/en/howto/ssh_honeypot
(if you miss some informations there, let me know. I will improve it/edit it. )

Maybe two or three months ago we had similar discussion on IRC, how to be protect against “hacking attempts”:

  1. I adviced to redirect SSH port to another, but also that’s not solution
  2. Somebody recommended to use fail2ban
  3. Don’t allow SSH server to the internet (or allow connecting through openVPN)
    If you didn’t have dynamic IP you could add rule to allow SSH connection from IP(s), which you know and they’re safe to use/allow them
  4. use strong password

Btw bots are scanning everything. Also looking for telnet and so on. Also it is good to use some password manager (I like Sticky Password - still not available on Linux. :’( ) , which will generate really long passwords with specials characters like @&! and so on.

1 Like

you can actually download programs that can do this.

What might they be? In the name of learning and understanding. I am so struggling to believe that the net is so flooded with endless hack attempts. Egads! Between that and spam it’s amazing it’s functional I guess.

fail2ban and ssh honeypot look good. Thanks. I like.

I use LastPass myself, not Sticky Password. Not sure of the pros and cons of one or the other. LastPass I guess I only use as a browser addon and for CLI tools like ssh.

  1. Disable password authentication and only allow public key authentication.

No need to bother with fail2ban or similar. You should only log in from your own devices anyway. Then just keep your software up to date and you’re going to be fine. None of us here is important enough that anyone will waste a zero day exploit on breaking sshd.

Here is a metric from six days worth of logs from my internet facing SSH daemon (on a standard Debian server with automatic updates), during which time there were zero legitimate login attempts:

grep -c sshd /var/log/auth.log.1
5495

The internet is dark and full of terrors :slight_smile:

2 Likes

Wow, about 1000 log in efforts per day that are unwanted. Amazing indeed what wickedness is out there. I agree, I’ve not pursues fail2ban or honeypot yet, mainly because well I closed the port indeed and opened it only from my known device IP(s) for present. And all those login efforts seem to have evaporated yet I can connect from remotely. Still I do find fail2ban and honeypot interesting in part because I would like (at a low priority I guess) to contribute (notably with honeypot) to efforts to trap and nail these hackers …

I put ssh to non-standart port. It fixed majority of issues.

Not bad, but still risky I think. Better to disable pasword login and rely on a secure sshkey and perhaps open the port only to known IP adresses. Just a thought.

2 Likes

Security by obscurity is not real fix, but at least it handless bots and automated scripts.

1 Like