Page 1 of 1

another lot of sshd not being blocked

Posted: 28 Feb 2010, 17:42
by dvk01
started getting these warnings today & not blocked in csf/lfd
have ssh changed their log formats yet again or are the hackers trying a new method

Chhers

Derek

Code: Select all

Feb 28 16:01:02 knight sshd[23001]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:01:02 knight sshd[23003]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:35 knight sshd[23876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:35 knight sshd[23875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:39 knight sshd[23876]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root
Feb 28 16:04:39 knight sshd[23875]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252  user=root

Posted: 15 Mar 2010, 09:21
by chirpy
That's not a format I recognise, what version of openSSH is that and what OS?

Posted: 15 Mar 2010, 10:09
by dvk01
Package openssh-4.3p2-36.el5_4.4.i386
Package openssh-clients-4.3p2-36.el5_4.4.i386
Package openssh-server-4.3p2-36.el5_4.4.i386


CENTOS 5.4 i686
cPanel 11.25.0-R43473 - WHM 11.25.0 - X 3.9

Posted: 18 Mar 2010, 08:44
by valkira
This can be quite annoying, I've received 2k emails tonight:

Code: Select all

lfd on xxx.yyy.com: blocked 208.82.108.36 (US/United States/clay.county.health.108.82.208.in-addr.arpa)

Time:     Thu Mar 18 05:44:15 2010 +0100
IP:       208.82.108.36 (US/United States/clay.county.health.108.82.208.in-addr.arpa)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Mar 18 05:44:11 hc sshd[8421]: Invalid user tcpdump from 208.82.108.36 Mar 18 05:44:11 hc sshd[8421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=208.82.108.36 Mar 18 05:44:11 hc sshd[8420]: Invalid user tcpdump from 208.82.108.36 Mar 18 05:44:11 hc sshd[8420]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=208.82.108.36 Mar 18 05:44:12 hc sshd[8418]: Failed password for invalid user tenetko from 208.82.108.36 port 57405 ssh2
I have the same openssh versions as dvk01 on CentOS 5.4 i386; cPanel 11.25.0-C43473; csf v4.99

Also, I've already disabled DNS usage as explained on showthread.php?t=2974&highlight=pam_uni ... failure%3B

Posted: 19 Mar 2010, 13:51
by xsr
Have you tried configuring ssh on an alternative port? It sure prevents most drive by brute force scripts to operate.
In our environment we don't even allow ssh unless it is to certain fixed ip addresses (for staff use only).
2k warning emails is alot, almost seems targetted.

Posted: 20 Mar 2010, 12:28
by valkira
Actually I didn't configure ssh on another port because it didn't even came to my mind (yeah, silly of me :) )

as much as allowing ssh, we use the same policy, but need one server open when we're out of the office. But we can change this. We will just have to connect to our Cisco router with VPN client and go from there :)

Posted: 29 Mar 2010, 10:04
by chirpy
Feb 28 16:04:35 knight sshd[23876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.193.145.252 user=root
This format is now detected by lfd.

Posted: 29 Mar 2010, 10:15
by dvk01
Thanks :)