another lot of sshd not being blocked

dvk01 · Post by **dvk01** » 28 Feb 2010, 17:42

started getting these warnings today & not blocked in csf/lfd
have ssh changed their log formats yet again or are the hackers trying a new method

Chhers

Derek

Code: Select all

Feb 28 16:01:02 knight sshd[23001]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:01:02 knight sshd[23003]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:35 knight sshd[23876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:35 knight sshd[23875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:39 knight sshd[23876]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:39 knight sshd[23875]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root

Post by **chirpy** » 15 Mar 2010, 09:21

That's not a format I recognise, what version of openSSH is that and what OS?

dvk01 · Post by **dvk01** » 15 Mar 2010, 10:09

Package openssh-4.3p2-36.el5_4.4.i386
Package openssh-clients-4.3p2-36.el5_4.4.i386
Package openssh-server-4.3p2-36.el5_4.4.i386

CENTOS 5.4 i686
cPanel 11.25.0-R43473 - WHM 11.25.0 - X 3.9

valkira · Post by **valkira** » 18 Mar 2010, 08:44

This can be quite annoying, I've received 2k emails tonight:

Code: Select all

lfd on xxx.yyy.com: blocked 208.82.108.36 (US/United States/clay.county.health.108.82.208.in-addr.arpa)

Time:     Thu Mar 18 05:44:15 2010 +0100
IP:       208.82.108.36 (US/United States/clay.county.health.108.82.208.in-addr.arpa)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Mar 18 05:44:11 hc sshd[8421]: Invalid user tcpdump from 208.82.108.36 Mar 18 05:44:11 hc sshd[8421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=208.82.108.36 Mar 18 05:44:11 hc sshd[8420]: Invalid user tcpdump from 208.82.108.36 Mar 18 05:44:11 hc sshd[8420]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=208.82.108.36 Mar 18 05:44:12 hc sshd[8418]: Failed password for invalid user tenetko from 208.82.108.36 port 57405 ssh2

I have the same openssh versions as dvk01 on CentOS 5.4 i386; cPanel 11.25.0-C43473; csf v4.99

Also, I've already disabled DNS usage as explained on showthread.php?t=2974&highlight=pam_uni ... failure%3B

xsr · Post by **xsr** » 19 Mar 2010, 13:51

Have you tried configuring ssh on an alternative port? It sure prevents most drive by brute force scripts to operate.
In our environment we don't even allow ssh unless it is to certain fixed ip addresses (for staff use only).
2k warning emails is alot, almost seems targetted.

valkira · Post by **valkira** » 20 Mar 2010, 12:28

Actually I didn't configure ssh on another port because it didn't even came to my mind (yeah, silly of me

)

as much as allowing ssh, we use the same policy, but need one server open when we're out of the office. But we can change this. We will just have to connect to our Cisco router with VPN client and go from there

Post by **chirpy** » 29 Mar 2010, 10:04

Feb 28 16:04:35 knight sshd[23876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252 user=root

This format is now detected by lfd.

dvk01 · Post by **dvk01** » 29 Mar 2010, 10:15

Thanks