Brute force attack

Waiter00 · 19. November 2015

Hi Guys

Some advice please.

My omv is under continual attack, Fail2Ban is banning about 6 IP addresses a day. So far none have got though, I'm beginning to think that it may be the same couple of people using a proxy to give them a different IP address.I closed port 22 on the router and that stopped them for a couple of days, but they are back on other ports that are not open on the router. Here a few examples reports.

Thanks in advance

The IP 210.73.211.34 has just been banned by Fail2Ban after3 attempts against ssh.Here are more information about 210.73.211.34:Lines containing IP:210.73.211.34 in /var/log/auth.logNov 19 09:39:07 omv sshd[30309]: Invalid user zhangyan from 210.73.211.34Nov 19 09:39:07 omv sshd[30309]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.73.211.34Nov 19 09:39:09 omv sshd[30309]: Failed password for invalid user zhangyan from 210.73.211.34 port 37528 ssh2Nov 19 09:39:19 omv sshd[30325]: Invalid user dff from 210.73.211.34Nov 19 09:39:19 omv sshd[30325]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.73.211.34

The IP 183.39.119.205 has just been banned by Fail2Ban after3 attempts against ssh.Here are more information about 183.39.119.205:Lines containing IP:183.39.119.205 in /var/log/auth.logNov 18 22:24:49 omv sshd[23567]: Invalid user zhangyan from 183.39.119.205Nov 18 22:24:49 omv sshd[23567]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.39.119.205Nov 18 22:24:51 omv sshd[23567]: Failed password for invalid user zhangyan from 183.39.119.205 port 57541 ssh2Nov 18 22:25:02 omv sshd[23571]: Invalid user dff from 183.39.119.205Nov 18 22:25:02 omv sshd[23571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.39.119.205

The IP 177.159.102.108 has just been banned by Fail2Ban after3 attempts against ssh.Here are more information about 177.159.102.108:Lines containing IP:177.159.102.108 in /var/log/auth.logNov 19 06:43:52 omv sshd[25364]: Did not receive identification string from 177.159.102.108Nov 19 06:44:10 omv sshd[25365]: reverse mapping checking getaddrinfo for 177.159.102.108.static.gvt.net.br [177.159.102.108] failed - POSSIBLE BREAK-IN ATTEMPT!Nov 19 06:44:10 omv sshd[25365]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.159.102.108 user=adminNov 19 06:44:12 omv sshd[25365]: Failed password for admin from 177.159.102.108 port 61104 ssh2Nov 19 06:44:12 omv sshd[25365]: Received disconnect from 177.159.102.108: 11: Bye Bye [preauth]Nov 19 06:44:29 omv sshd[25369]: reverse mapping checking getaddrinfo for 177.159.102.108.static.gvt.net.br [177.159.102.108] failed - POSSIBLE BREAK-IN ATTEMPT!Nov 19 06:44:29 omv sshd[25369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.159.102.108 user=rootNov 19 06:44:31 omv sshd[25369]: Failed password for root from 177.159.102.108 port 61575 ssh2Nov 19 06:44:31 omv sshd[25369]: Received disconnect from 177.159.102.108: 11: Bye Bye [preauth]Nov 19 06:44:49 omv sshd[25377]: reverse mapping checking getaddrinfo for 177.159.102.108.static.gvt.net.br [177.159.102.108] failed - POSSIBLE BREAK-IN ATTEMPT!Nov 19 06:44:49 omv sshd[25377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.159.102.108 user=rootNov 19 06:44:51 omv sshd[25377]: Failed password for root from 177.159.102.108 port 62028 ssh2Nov 19 06:44:51 omv sshd[25377]: Received disconnect from 177.159.102.108: 11: Bye Bye [preauth]

tinh_x7 · 19. November 2015

Have you try to use a private key?
Disable SSH root login, & password authentication from OMV web gui ?
Change SSH to an alternative port.

From what I seeing:

The first two IPs were from China, the other was from Brazil.

gderf · 19. November 2015

If you have a host running sshd facing the internet, especially one running on the standard port 22, it will be under frequent attack as you have observed. Welcome to the Internet

Changing the listening port will dramatically reduce these attacks. If your objective is to quiet down the logs, this will be a big help.

While disabling password authentication and forcing the use of public/private key authentication will enhance security, this will not prevent attempts to log in with username/password. The result will still be failed login attempts, the description in the sshd logs will be different, but just as annoying.

While fail2ban can be useful, it is way too noisy for me in most standard configurations, so I don't use it here on LAN connected devices - my firewall/router handles everything very well.

I do run the denyhosts package on sshd machines as it is limited to catching only sshd attacks, the very, very few that do get thru on the non-standard port.

One attempt per month would be considered a lot here, whereas when running on port 22, I would see several per hour, every hour, 24/7/365.

latimeria · 19. November 2015

I think it's quite normal if you expose your machine over the internet and the best solution should be to open just the protocols you really need and if possible to use a VPN connection from outside.
You did not fully explain your scenario so it could be quite hard for "security experts" to help you in finding a solution.
You could find tons of articles making a google search ( something like this https://www.rackaid.com/blog/h…-ssh-brute-force-attacks/)about how to secure your machine but you cannot stop hackers from trying to breaking in.

tekkb · 19. November 2015

Use your router and port forward a non-standard port to the standard. Then you don't even have to mess with OMV.

Since latimeria mentioned VPN, I personally don't open SSH to the internet. I make VPN connection first and then use SSH if I need it.

earbiter · 19. November 2015

Or you could set up a knock daemon so your port always appears closed until you 'knock' - https://www.digitalocean.com/c…-from-attackers-on-ubuntu

Waiter00 · 20. November 2015

Thanks I'll start on these right away.

I've changed the listen port.

tekkb · 20. November 2015

I think that is stupid. If you have 4 machines behind a firewall you are going to change at least 3/4 server configs and then have to do 4 port opens on a router. You could just do 4 port forwards, from a non-standard port to the standard port, on the router and be done with it, nothing on the SSH servers....

Waiter00 · 23. November 2015

Changing the listening port has cured the problem even though I had closed port 22 on the router already. Its nice not to receive all those reports of failed attacks.

I'll make the changes on the router later today and go back to listening port 22 then give it a couple of days and see if my friends start attacking again.

Thanks for the advice everyone.

ryecoaaron · 23. November 2015

It is probably a bot doing the attacks. It won't "forget" you. I would leave it running on a non-standard port.

pedropt · 19. Dezember 2015

you can always establish a rule to close port 80 or 443 depending if you are using https or not to webgui , and close port 22 also to internet .
In my primary server for my website , witch is a raspberry , i configured it to open port 22 , 3389 only to my local lan , and to a specific ip from it .
my openmediavault server runs over a NAT rule configured on raspberry under a specific port .
with iptables you can solve your problem easily .
However , if you need to connect to your server remotely from internet , then you should configure a port knocking configuration on iptables .
This way it will be very hard from someone find the right configuration to open port 22 .
check out how to configure port knocking over this next weblink using iptables rules .
https://www.digitalocean.com/c…iptables-on-an-ubuntu-vps

Jetzt mitmachen!