Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Debian Jessie 8.7: service question
#1
Hello All!

I have been seeing the following output after doing a service ssh status:

Code:
root@cardinal:~# service ssh status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
   Active: active (running) since Tue 2017-02-21 22:20:21 EST; 16h ago
  Process: 4157 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 4165 (sshd)
   CGroup: /system.slice/ssh.service
           ├─ 4165 /usr/sbin/sshd -D
           ├─24034 sshd: root [priv]
           └─24035 sshd: root [net]

Feb 22 14:55:00 cardinal sshd[24024]: Failed password for root from 122.194...h2
Feb 22 14:55:02 cardinal sshd[24024]: Failed password for root from 122.194...h2
Feb 22 14:55:05 cardinal sshd[24024]: Failed password for root from 122.194...h2
Feb 22 14:55:07 cardinal sshd[24024]: Failed password for root from 122.194...h2
Feb 22 14:55:10 cardinal sshd[24024]: Failed password for root from 122.194...h2
Feb 22 14:55:10 cardinal sshd[24024]: Disconnecting: Too many authenticatio...h]
Feb 22 14:55:10 cardinal sshd[24024]: PAM 5 more authentication failures; l...ot
Feb 22 14:55:14 cardinal sshd[24034]: pam_unix(sshd:auth): authentication f...ot
Feb 22 14:55:16 cardinal sshd[24034]: Failed password for root from 122.194...h2
Feb 22 14:55:18 cardinal sshd[24034]: Failed password for root from 122.194...h2
Hint: Some lines were ellipsized, use -l to show in full.
root@cardinal~#

Question is: how in the world do I correct the ssh system so that I will not have people failing passwords trying to login as root: I have disabled root login, but I may have a problem with /etc/ssh/sshd_config - how can I read the information and stop these attempts? I may need to block these IP addresses from accessing BBUS, but I need to be able to READ the information - I don't think that I have ever seen the ssh service give me these warnings - Is this Normal? Do I have anything to worry about - I don't want to have someone try to bring me down......

Any help or advice is appreciated!

Thank You!

Brian
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#2
Looks like the first part of a Chinese IP brute forcing your password(s).
Reply

#3
(02-22-2017, 10:21 PM)GuiltySpark Wrote:  Looks like the first part of a Chinese IP brute forcing your password(s).

GuiltySpark:

I have added the following IPs to the ipset program
Code:
root@cardinal:~# ipset list
Name: blacklist
Type: hash:ip
Revision: 3
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 32976
References: 2
Members:
116.31.116.47
35.185.45.255
121.18.238.109
51.15.128.81
221.194.44.231
221.194.44.224
221.194.47.249
122.194.229.40

Then I checked service ssh status as root and got this:
Code:
root@cardinal:~# service sshd status -1
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
   Active: active (running) since Wed 2017-02-22 16:15:23 EST; 1h 10min ago
  Process: 25286 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 26068 (sshd)
   CGroup: /system.slice/ssh.service
           └─26068 /usr/sbin/sshd -D

Feb 22 16:15:23 cardinal sshd[26068]: Server listening on :: port 22.
Feb 22 16:16:00 cardinal sshd[26085]: Received disconnect from 121.18.238.109: 11:  [preauth]
Feb 22 16:25:55 cardinal sshd[26195]: Received disconnect from 221.194.47.249: 11:  [preauth]
Feb 22 16:26:58 cardinal sshd[26234]: Received disconnect from 221.194.44.231: 11:  [preauth]
Feb 22 16:36:34 cardinal sshd[26288]: Received disconnect from 221.194.44.224: 11:  [preauth]
Feb 22 16:43:22 cardinal sshd[26415]: Connection closed by 35.185.45.255 [preauth]
Feb 22 16:47:09 cardinal sshd[26429]: Received disconnect from 51.15.128.81: 11: Bye Bye [preauth]
Feb 22 16:57:18 cardinal sshd[26535]: fatal: no matching cipher found: client aes256-cbc,rijndael-cbc@...auth]
Feb 22 16:58:44 cardinal sshd[26580]: Received disconnect from 119.249.54.71: 11:  [preauth]
Feb 22 17:11:38 cardinal sshd[26767]: Received disconnect from 221.194.44.219: 11:  [preauth]
Hint: Some lines were ellipsized, use -l to show in full.
root@cardinal:~#

How should I proceed to BLOCK these IP's and make them stop trying to hit me? There appears to be a disconnect from each IP, but I cant use the -I option or it errored out - I may be using the improper syntax, but I wish there was a way to automatically add these rouge addresses to the firewall iptables rules for the ports too, and then add it to ipset

I await your response Big Grin

Brian
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#4
What are you using to block the IP's?

Do you have any firewalls set up like IPfire or portsentry?

Edit: just noticed you have a Chinese member apparently, is this correct?
Reply

#5
GuiltySpark:

To my knowledge, I do NOT have any Chinese members that would have an account on my server. I would like to block a whole string of ips, but I do not know how to do it effectively. It looks like they are trying to use SSH2 to get in, but I cannot seem to add that protocol.

I am using ipset and iptables to add the ips to ipset's blacklist file, and also using Iptables to add that protection.'

I am not using a Linux firewall, but my netgear router has the proper setup for allowing me to connect to my server and other machines.

How should I proceed?

Brian
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#6
Have a look at this:

https://linux-audit.com/blocking-ip-addresses-in-linux-with-iptables/

It should tell you how to setup ipset correctly.
Reply

#7
GuiltySpark:

I will take a look at this: Thank you for the information Wink

Brian

GuiltySpark:

Is there a way to block something like this

221.194.44.*
221.194.231.*

etc This way I can try to take out the whole 221.194. range for example.

Brian
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#8
I don't think you can create a wildcard such as 192.224.* which would block that entire range. Instead you may have to create a hash:net list.

This site might help better understand it:

https://xmodulo.com/block-unwanted-ip-addresses-linux.html
Reply

#9
(02-22-2017, 11:59 PM)GuiltySpark Wrote:  I don't think you can create a wildcard such as 192.224.* which would block that entire range. Instead you may have to create a hash:net list.

This site might help better understand it:

https://xmodulo.com/block-unwanted-ip-addresses-linux.html

GuiltySpark:

I was able to install Fail2ban, and I am getting a log from /var/log/fail2ban.log - It seems as if it only bans for maybe a day, but with the number of attempts, I would like to make it a WEEK - If I extend the bantime to a week, I will hopefully be able to stop some of these stupid attempts - If I do a 'sudo iptables -L I Get:

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (2 references)
target     prot opt source               destination
REJECT     all  --  ip-46-34-137-136.pppoe.celecom.ru  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  119.145.28.200       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  31.163.115.223       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  39.73.219.158        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  58.218.199.165       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  101.30.63.26         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  S0106ac9e17678450.cg.shawcable.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  183.106.211.146      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  223.166.167.119      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  170.78.158.87        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  185.136.151.107      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  5.36.111.101.dynamic-dsl-ip.omantel.net.om  anywhere             reject-with icmp-port-un$
[Note: I only gave you a sample of the listing:  Here is a fail2ban log:]

Code:
brian@cardinal:~$ sudo tail /var/log/fail2ban.log
2017-03-13 12:14:33,223 fail2ban.filter         [798]: INFO    [sshd] Found 27.22.229.64
2017-03-13 12:14:33,506 fail2ban.actions        [798]: NOTICE  [sshd] Ban 27.22.229.64
2017-03-13 12:14:43,641 fail2ban.filter         [798]: WARNING Determined IP using DNS Lookup: d28-23-87-232.dim.wideopenwest.com = ['23.28.232.87']
2017-03-13 12:14:43,642 fail2ban.filter         [798]: INFO    [sshd] Found 23.28.232.87
2017-03-13 12:14:45,982 fail2ban.filter         [798]: INFO    [sshd] Found 23.28.232.87
2017-03-13 12:14:47,851 fail2ban.filter         [798]: INFO    [sshd] Found 23.28.232.87
2017-03-13 12:14:48,733 fail2ban.actions        [798]: NOTICE  [sshd] Ban 23.28.232.87
2017-03-13 12:14:49,195 fail2ban.filter         [798]: INFO    [sshd] Found 23.28.232.87
2017-03-13 12:18:09,952 fail2ban.filter         [798]: INFO    [sshd] Found 116.31.116.47
2017-03-13 12:18:11,875 fail2ban.filter         [798]: INFO    [sshd] Found 116.31.116.47
brian@cardinal:~$


Here is /var/log/auth.log
Code:
brian@cardinal:~$ sudo tail /var/log/auth.log
[sudo] password for brian:
Mar 13 12:25:45 cardinal sshd[4543]: Failed password for root from 218.204.46.30 port 52397 ssh2
Mar 13 12:25:46 cardinal sshd[4543]: Received disconnect from 218.204.46.30: 11: ok [preauth]
Mar 13 12:29:36 cardinal sshd[4564]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.47  user=root
Mar 13 12:29:38 cardinal sshd[4564]: Failed password for root from 116.31.116.47 port 60258 ssh2
Mar 13 12:29:44 cardinal sshd[4564]: Failed password for root from 116.31.116.47 port 60258 ssh2
Mar 13 12:29:46 cardinal sshd[4564]: Failed password for root from 116.31.116.47 port 60258 ssh2
Mar 13 12:39:01 cardinal CRON[4661]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 13 12:39:01 cardinal CRON[4661]: pam_unix(cron:session): session closed for user root
Mar 13 12:45:15 cardinal sudo:    brian : TTY=pts/2 ; PWD=/home/brian ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log
Mar 13 12:45:15 cardinal sudo: pam_unix(sudo:session): session opened for user root by brian(uid=0)
brian@cardinal:~$

and iptables-S
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-sshd -s 46.34.137.136/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 119.145.28.200/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 31.163.115.223/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 39.73.219.158/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 58.218.199.165/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 101.30.63.26/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 184.64.204.192/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 183.106.211.146/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 223.166.167.119/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 170.78.158.87/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 185.136.151.107/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 5.36.111.101/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 180.105.126.64/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 190.50.238.130/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 59.111.97.230/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 49.85.87.142/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 58.246.235.51/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 181.24.161.70/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 122.243.172.46/32 -j REJECT --reject-with icmp-port-unreachable
(snipped for brevity)

I just have to be able to enable the other jails and make sure that they work: [http/https: ddos] as you can see, it looks like it is working -But I want to extend the ban time for the offenders, and then to log the attempts with appropriate files.  Problem is, that if I have to add an IP to iptables each time, a 'sudo iptables -L' would generate a list probably longer then my arm - However, I am pleased to report that, for the most part, it seems to work - If I can figure out log rotation, I think that would be awesome Wink

(btw:  root access logins have been disabled with a 'PermitRootLogin no' in sshd_config) I will only use sudo to do this Smile

I just want to make sure that enabling jails in jail.local does not break the fail2ban service.

Thank You for your help!

Brian
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#10
Having never used fail2ban I'm not sure what it is / is not capable of. Will have to do some checking and get back to you.
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.