Thread: Reporting SSH break-in attempts

  1. #1
    Registered User
    Join Date
    Jan 2010
    Posts
    412

    Reporting SSH break-in attempts

    I recently started running a small linux webserver and I've noticed a lot of ips (mostly from China and Korea) connecting to the SSH daemon and bruteforcing passwords.
    I have been looking up the ips in ARIN's database and sending reports of the break-in attempts along with the relevant parts of sshd's logfiles to the abuse address listed by ARIN. But it seems that all ISPs just ignore this because the same ip addresses just keeps hammering the server for months.
    Am I doing something wrong, or is it just normal policy that ISPs ignore these kinds of reports?

    On a side note; I'm not worried about someone actually managing to gain access to the server because I have disabled all password based authentication. But it is kinda annoying that noone seems to care about the people doing this.

  2. #2
    {Jaxom,Imriel,Liam}'s Dad Kennedy's Avatar
    Join Date
    Aug 2006
    Location
    Alabama
    Posts
    1,065
    If you are worried that someone may hack you on that port, either disable those services or REMAP the ones you need to some really ugly high port #. Running inetd, it is a simple as modifying the /etc/services database. If you are running sshd standalone, the listening port # is in the config file.

  3. #3
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    If a machine is on the net, it will be continuously probed. Just a fact of life. You could waste a month tracking one person down, and maybe even succeed... 1 down, 10 million to go.
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  4. #4
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by _Mike View Post
    I have been looking up the ips in ARIN's database and sending reports of the break-in attempts along with the relevant parts of sshd's logfiles to the abuse address listed by ARIN. But it seems that all ISPs just ignore this because the same ip addresses just keeps hammering the server for months.
    What do you expect them to do? They cannot just take your word for it and start blacklisting ip's because someone claims there is a problem. Should they launch an investigation? That maybe beyond the scope of the individual ISP.

    But it is kinda annoying that noone seems to care about the people doing this.
    I imagine there is a lot of concern but obviously it is not an easy thing to stop. Since some of this is probably very elaborate, well funded and equipt military operations (they are wrangling bot nets for DoS attacks), just blacklisting ips is unlikely to solve the problem (and could easily create more).

    Yarin had a sort of related thread here a while back that was unfortunately lost during one of the database crashes. He actually listed a bunch of ips and we were doing lookups on them. You can blacklist those IP's yourself if you want -- that's what Yarin was doing, I cannot remember the name of the software he was using to do it.

    So if you can just blacklist them yourself, your problem is solved. Which individuals taking responsibility for themselves and setting their own policies here is probably the best solution.
    Last edited by MK27; 03-25-2010 at 11:57 AM.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  5. #5
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by MK27 View Post
    You can blacklist those IP's yourself if you want -- that's what Yarin was doing, I cannot remember the name of the software he was using to do it.
    Pretty sure this is it:
    Welcome to DenyHosts

    It would be simple to implement this with /etc/hosts.deny, using your sshd log, of course*. Probably easier than installing software.

    * that's a long running normative practice, which might be why no one considers this their responsibility (it's yours).
    Last edited by MK27; 03-25-2010 at 12:10 PM.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  6. #6
    Registered User
    Join Date
    Jan 2009
    Posts
    1,485
    Quote Originally Posted by MK27 View Post
    You can blacklist those IP's yourself if you want -- that's what Yarin was doing, I cannot remember the name of the software he was using to do it.
    There might be other ways, but you can do this in the firewall, if it permits you to add these kind of rules to your config file. ipfw allows this for example.

  7. #7
    Registered User
    Join Date
    Jan 2010
    Posts
    412
    Quote Originally Posted by MK27 View Post
    What do you expect them to do? They cannot just take your word for it and start blacklisting ip's because someone claims there is a problem. Should they launch an investigation? That maybe beyond the scope of the individual ISP.
    I expected them to check their logs to verify that there's a ton of connections going from one of their ips to my ip address.

    It would be simple to implement this with /etc/hosts.deny, using your sshd log, of course*. Probably easier than installing software.

    * that's a long running normative practice, which might be why no one considers this their responsibility (it's yours).
    I agree that it is my responsibility to keep my server secure. And I'm pretty sure it is, barring OpenSSH having some unknown exploit.
    It just that what's the point of listing an abuse address record in the whois database if they don't investigate incoming reports? If there had been none listed I would just have moved on without thought. But listing such as address is like saying "hey, if one of our customers misbehaves we want to know about it"

    Or maybe I'm just overreacting

  8. #8
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by _Mike View Post
    It just that what's the point of listing an abuse address record in the whois database if they don't investigate incoming reports?
    You might want to check out that DenyHosts thing, I believe they in fact do pool data from the user base. My worry about that would be users who maliciously spoof data into the database, just to get some ip's blocked, or whatever.

    But listing such as address is like saying "hey, if one of our customers misbehaves we want to know about it"
    That won't make them any money.

    Or maybe I'm just overreacting
    If it's any consolation, the reason I haven't taken an interest in this before is I do work on a couple of servers that have been around for more than a decade and have public profiles. We use ssh there, but no one bothers with this. And they are not an incompetent bunch IMO (one dude works for NASA doing programming, for what that is worth vis security*, etc). At one point I was writing some utilities for the server, and I had to be honest about my lack of experience and that I wanted to explicitly discuss security because it seemed to me there should be people around who would want to do bad things to the site.

    What that came down to was no one had ever, to anyone's knowledge, breached the security. However, very important to note here that the ssh on those servers all use keys and not just passwords. But we still don't track break-in attempts (as you are aware, they are futile). I think this would be more of an issue where the added stress matters, but these are not very high traffic.

    * maybe not much, I dunno, I just think it's cool dude works for NASA He could be a spy.
    Last edited by MK27; 03-25-2010 at 01:26 PM.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Checking array for string
    By Ayreon in forum C Programming
    Replies: 87
    Last Post: 03-09-2009, 03:25 PM
  2. Number to Word (Billions)
    By myphilosofi in forum C Programming
    Replies: 34
    Last Post: 02-04-2009, 02:09 AM
  3. get keyboard and mouse events
    By ratte in forum Linux Programming
    Replies: 10
    Last Post: 11-17-2007, 05:42 PM
  4. char copy
    By variable in forum C Programming
    Replies: 8
    Last Post: 02-06-2005, 10:18 PM