[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


On Wed, 2007-08-08 at 02:09 +0530, Vivek J. Patankar wrote:
> One of my servers has a public interface. It is hit by ssh login 
> attempts on a daily basis and the count for that goes into the thousands 
> per week. The usernames that have been tried are root, admin, 
> administrator, etc.
> For the last could of weeks I have been getting a lot of login attempts 
> for a user called "NOUSER". There were over 12000 during the week ending 
>   5th August. The sources of the attempts are geographically 
> distributed, Norway, US, Korea, Taiwan, India, etc. But the username is 
> always the same, "NOUSER". I am guessing this is some kind of worm.
> Aug  6 17:57:57 <HOSTNAME> pam_tally[28966]: pam_tally: pam_get_uid; no 
> such user NOUSER
> Has anybody else seen such activity or has more information about it? 
> Anything I should worry about?
> If it matters, the box runs an up-to-date FC6.

Welcome to the Internet.  This is a very common hack attempt.  Someone
(usually script kiddies) is trying to get into your box.

I have iptables rules that only allow ssh tries from our networks or
machines I know of.  To wit:

# Accept SSH from our networks...
-A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
# Accept SSH from my machine at home...
-A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT
(more rules...)

At the end, put in a blanket "don't allow SSH from anywhere else" rule:

# Block any ssh attempts from outside our network...
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
REJECT --reject-with icmp-port-unreachable

If you must leave ssh open to the outside world, use a simple iptables
ruleset to limit attempts:

# This rejects ssh attempts more than twice in 180 seconds...
# First, mark attempts as part of the "sshattack" group...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
# Optional: Include this line if you want to log these attacks...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
# Finally, reject the connection if more than one attempt is made in 180
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

If more than one ssh attempt is made in 180 seconds (three minutes)
from a given IP address, this blocks that IP address for that duration.
You get one try.  If you fail, you must wait 3 minutes before you can
try again.

Note that even a successful login is counted.  If you log in and
immediately log out, you still have to wait 3 minutes to get in again.

Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
yourself two tries to get in.  You can also change the "--seconds 180"
to "--seconds 300" to make the delay 5 minutes.  The values I give above
are enough to discourage most script kiddie attempts to get into your

Your mileage may vary.

- Rick Stevens, Principal Engineer             rstevens internap com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-              Where there's a will, I want to be in it.             -

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]