Topic: SME crashed hundereds of authentication failures

[TeNeCo]

Two days ago one of my SME gateway Server crashed. Up to now I don't know the reason.  Before the crash there are hundreds of lines like the following in the message.log:

What are those lines wanna tell me and what else can I check?

Mar 18 13:50:58 sme sshd(pam_unix)[31231]: check pass; user unknown
Mar 18 13:50:58 sme sshd(pam_unix)[31231]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73
Mar 18 13:51:04 sme sshd(pam_unix)[31233]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73  user=root
Mar 18 13:51:11 sme sshd(pam_unix)[31235]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73  user=admin
Mar 18 13:51:17 sme sshd(pam_unix)[31237]: check pass; user unknown
Mar 18 13:51:17 sme sshd(pam_unix)[31237]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73
Mar 18 13:51:23 sme sshd(pam_unix)[31239]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73  user=root
Mar 18 13:51:30 sme sshd(pam_unix)[31241]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73  user=root
Mar 18 13:51:36 sme sshd(pam_unix)[31243]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.162.12.73  user=root

[JonB]

You have public access enabled to SSH on your server. Someone is running a script trying to hack into your server on SSH.

I would disable public access to SSH then do a search on the forums to find out how to lock down public SSH access by using certificates or by allowing access only from a list of IP addresses.

I think the information is in the SME Server documentation.

Jon

[bpivk]

Someone wants to be a hacker.  
Here you go.... This should solve all your problems.
http://wiki.contribs.org/SME_Server:Documentation:User_Manual:Chapter1

[dhardy]

Copy your logs and make an abuse report to the details here:

http://www.dnsstuff.com/tools/whois.ch?ip=203.162.12.73

That IP address looks like it might belong to the British Embassy in Vietnam .... someone (probably YOU!) should tell them that THEY have been hacked and used to stage a hack on you .....

http://www.britishembassy.gov.uk/servlet/Front?pagename=OpenMarket/Xcelerate/ShowPage&c=Page&cid=1064573175652

Which is the same as http://tinyurl.com/23u3q4

It might be interesting to let us know how this pans out ....

[TeNeCo]

Today the requests are arriving from 203.95.1.200 (SHANGHAI Guangdian Electronics Group Co.,Ltd China).

Why is somebody/something so busy to hack on a small email-Server?

How can I stop this? Shall I contact my own ISP who just gave me that IP-address?

I've increased the security of the SSH access by using public/private key.

[bpivk]

I've increased the security of the SSH access by using public/private key.

And did you set the "Allow secure shell access using standard passwords" to NO? If you did then the hacker won't be able to use SSH. Just keep the key safe. I have it on a memory stick and that's it.

And report the ip to abuse@domain.com where domain is the ISP of the hacker.

Why is somebody/something so busy to hack on a small email-Server?

Some do it for fun, some for the money and some for respect. All are idiots.  

How can I stop this?

You allready stoped them from hacking your SSH by implementing a key (i just hope that you don't have it in an ibay with a weak password).

Shall I contact my own ISP who just gave me that IP-address?

Yes you could do that (but they don't even budge in my country). And contact eric@stnc.com.cn about this.

On doing some homework:
This guy is on a http://www.infiltrated.net/bforcers/march.denies.uniq brute force list. He is trying to hack servers trough SSH using brute force so you shouldn't worry now that you have keys enabled.

[pfloor]

You will be chasing it the rest of your life.  I suggest you move your ssh port to something else like 2222 or 2022 or whatever you want.

#config setprop sshd Port 2222
#signal-event remoteaccess-update

Now your port 22 is stealth and your log files will be quiet as a mouse.

[bpivk]

Pfloor great idea. I would newer think of that.
But using keys should solve his problem because he can't be hacked trough ssh (unless they manage to get a key).

[warren]

#config setprop sshd Port 2222
#signal-event remoteaccess-update

Pfloor, Should   read :
#config setprop sshd TCPPort 2222
#signal-event remoteaccess-update

warren

[pfloor]

#config setprop sshd Port 2222
#signal-event remoteaccess-update

Pfloor, Should   read :
#config setprop sshd TCPPort 2222
#signal-event remoteaccess-update

warren

Yes, you are correct.  Sorry it was a bit late when I posted.

But using keys should solve his problem because he can't be hacked trough ssh (unless they manage to get a key).

The OP was also complaining about hundreds (maybe even thousands) of failed login attempts.  Using keys will not solve that part of his problem.  The only way to quiet the logs is to use a different port.

Another good thing will happen if you change the port.  Most hackers just pick IP adresses randomly.  If port 22 is stealth, then the hacker's script just moves on to the next IP adress and leaves you alone.  This will also give you back the bandwidth (although minor) that the hackers were eating up.

I use keys and a different port myself.  My sshd logs went from 1000 failed attempts per day to NONE.  Yes that is correct, I have had ZERO ssh hacking attempts in over 3 months.  It probably isn't any more secure to change the port when using keys but it sure is a whole lot quieter on the server.

[bpivk]

Well i do admit that i don't check my logs (only if i suspect something is wrong) so i really don't mind if i have failed atempts loged or not as long as my server can cope with them and my keys are in a safe place.