Re: Failed attempts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, November 27, 2017 12:13 pm, Leroy Tennison wrote:
> And if you're really security conscious consider using port knocking
> (knock server - amazingly easy to set up. Or use fwknop, a little more
> difficult to set up but not much.  Finally, for the hard core who really
> like pain - write the iptables rules yourself).

Here is quite trivial (but effective!) one:

:SSHSCAN - [0:0]

....

-A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
-A SSHSCAN -m recent --set --name SSH
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT

....

Valeri

>
> ----- Original Message -----
> From: "Pete Biggs" <pete@xxxxxxxxxxxx>
> To: "centos" <centos@xxxxxxxxxx>
> Sent: Monday, November 27, 2017 11:53:30 AM
> Subject: Re:  Failed attempts
>
> On Mon, 2017-11-27 at 12:10 -0500, Jerry Geis wrote:
>> hi All,
>>
>> I happened to login to one of my servers today and saw 96000 failed
>> login
>> attempts. shown below is the address its coming from. I added it to my
>> firewall to drop.
>>
>> Failed password for root from 123.183.209.135 port 14299 ssh2
>>
>> FYI - others might be seeing it also.
>>
>
> As others have said, it's normal: dictionary based brute forcing of
> root; and no surprise that that IP is based in China. Welcome to the
> Internet.
>
> Primarily you need to make sure your root password is strong so it
> isn't vulnerable to this sort of attack. If it is, then the most nasty
> thing about this sort of thing is that your logs fill up.
>
> For your sanity then you can do the following:
>
>   - disallow ssh root logins by password (login as an unprivileged user
>  or use keys)
>
>   - run something like fail2ban which will block a host for a
> predetermined amount of time after a number of failures.
>
>   - don't run ssh on 22, use a different port.  (Things get a lot
> quieter when you do that, but it comes with it's own problems and don't
> get complacent because someone will find the port eventually.)
>
>   - if you only have a limited number of hosts or subnets logging in to
> your machine, adjust the firewall so that only they are allowed
> through.
>
> P.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux