Topic: hack attempt

[rmoria]

Hi there,

For a while there has been running a script against my sme 6.01. Its gives the following messages:

Jun 21 11:12:51 nathan sshd[27893]: Failed password for root from 61.17.77.2 port 37382 ssh2
Jun 21 11:12:57 nathan sshd[27895]: Failed password for root from 61.17.77.2 port 37429 ssh2
Jun 21 11:13:02 nathan sshd[27897]: Failed password for root from 61.17.77.2 port 37475 ssh2
Jun 21 11:13:08 nathan sshd[27918]: Failed password for admin from 61.17.77.2 port 37519 ssh2
Jun 21 11:13:14 nathan sshd[27920]: Invalid user administrator from 61.17.77.2
Jun 21 11:13:14 nathan sshd[27920]: error: Could not get shadow information for NOUSER
Jun 21 11:13:14 nathan sshd[27920]: Failed password for invalid user administrator from 61.17.77.2 port 37565 ssh2
Jun 21 11:13:21 nathan sshd[27922]: Invalid user jack from 61.17.77.2
Jun 21 11:13:21 nathan sshd[27922]: error: Could not get shadow information for NOUSER
Jun 21 11:13:21 nathan sshd[27922]: Failed password for invalid user jack from 61.17.77.2 port 37616 ssh2
Jun 21 11:13:27 nathan sshd[27929]: Invalid user marvin from 61.17.77.2

And then a lot more .

How can can I block this IP adres for say 3 days after 4 failed attempts? Either unknown user or invalid password.

[arne]

I think that will be rather difficult. Se this question ..

http://forums.contribs.org/index.php?topic=27855.0

[rmoria]

Unfortunately that won't work for me. The site I connect from does not allow vpn and only port 22 is opened, so changing ssh-ports won't work.( )

I was thinking about a script using iptables and a scan on the messages.

[MikeJ]

Had the same problems. Changed the login method for the ssh access from password to ssl certificate method. So long he didn't have this certificate he may try the next few years for access.

A much better solution would be the dynamic change of the firewall rules. I had such tool installed a few years ago on the SME. It looks for log entries whit such trying of passowrds and then the tool automaticly entered a firewall rule for 24h to block that ip. Unfortunately the tool isn't still freeware. Had a look around and found some add-on for snort, which is an intrusion detection system. But not sure if somebody implemented snort for the SME.

[raem]

MikeJ

> But not sure if somebody implemented snort for the SME

It is available for sme.
Check the contribs area, do a search.

[raem]

rmoria

> Unfortunately that won't work for me. The site I
> connect from does not allow vpn and only port 22
> is opened, so changing ssh-ports won't work.

You can cry, but you are too lazy to read to the end of the thread you were referred to !

You don't need to use VPN and you don't need to change ports, just use public/private keys to ssh directly to your server and disable ssh access using standard passwords.

http://forums.contribs.org/index.php?topic=27855.0