Archive for October, 2009

ssh brute force is still popular?

This is really old old old old stuff. But it still seems popular these days. Lots of script kiddies are out there I guess. My auth.log was harassed, flooded with ssh brute-force attacks.

Oct  1 10:13:50 sapphire sshd[43770]: Did not receive identification string from 202.150.213.94
Oct  1 12:40:35 sapphire sshd[45755]: Did not receive identification string from 212.122.224.24
Oct  1 20:15:14 sapphire sshd[51438]: Did not receive identification string from 219.239.17.98
Oct  1 20:19:08 sapphire sshd[51504]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:11 sapphire sshd[51507]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:16 sapphire sshd[51509]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:24 sapphire sshd[51511]: Invalid user oper from 219.239.17.98
Oct  1 20:19:51 sapphire sshd[51513]: Did not receive identification string from 219.239.17.98
Oct  1 21:18:01 sapphire sshd[52675]: Did not receive identification string from 202.57.41.60
Oct  1 23:10:09 sapphire sshd[53993]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:11 sapphire sshd[53995]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:15 sapphire sshd[53997]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:21 sapphire sshd[53999]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:24 sapphire sshd[54001]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  2 00:17:12 sapphire sshd[54918]: Did not receive identification string from 202.57.41.60
Oct  2 02:03:01 sapphire sshd[56453]: Did not receive identification string from 190.12.66.77
Oct  2 02:06:39 sapphire sshd[56484]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:41 sapphire sshd[56486]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:44 sapphire sshd[56488]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:47 sapphire sshd[56490]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  3 00:10:44 sapphire sshd[73858]: Did not receive identification string from 82.138.1.46
Oct  3 00:14:10 sapphire sshd[73974]: Invalid user admin from 82.138.1.46
Oct  3 00:14:14 sapphire sshd[73976]: User root from 82.138.1.46 not allowed because not listed in AllowUsers
Oct  3 00:14:17 sapphire sshd[73978]: Invalid user stud from 82.138.1.46
Oct  3 00:14:20 sapphire sshd[73980]: Invalid user trash from 82.138.1.46
Oct  3 00:57:23 sapphire sshd[74952]: Did not receive identification string from 85.46.29.147
Oct  3 01:06:54 sapphire sshd[75084]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:06:57 sapphire sshd[75086]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:00 sapphire sshd[75088]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:04 sapphire sshd[75090]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:07 sapphire sshd[75092]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 09:33:55 sapphire sshd[83042]: Did not receive identification string from 200.46.247.78
Oct  3 10:13:44 sapphire sshd[83372]: Invalid user staff from 200.46.247.78
Oct  3 10:13:47 sapphire sshd[83374]: Invalid user sales from 200.46.247.78
Oct  3 10:13:49 sapphire sshd[83376]: Invalid user recruit from 200.46.247.78
Oct  3 10:13:52 sapphire sshd[83378]: Invalid user alias from 200.46.247.78
Oct  3 10:13:54 sapphire sshd[83380]: Invalid user office from 200.46.247.78
Oct  4 01:26:40 sapphire sshd[95219]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:43 sapphire sshd[95221]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:46 sapphire sshd[95223]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:50 sapphire sshd[95225]: Invalid user oracle from 60.217.229.222
Oct  4 02:13:46 sapphire sshd[95625]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:49 sapphire sshd[95627]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:52 sapphire sshd[95629]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:54 sapphire sshd[95631]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:57 sapphire sshd[95633]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:14:02 sapphire sshd[95635]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 08:02:10 sapphire sshd[1258]: Did not receive identification string from 203.116.18.173
Oct  4 12:11:38 sapphire sshd[4353]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:40 sapphire sshd[4355]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:42 sapphire sshd[4357]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:44 sapphire sshd[4359]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:46 sapphire sshd[4361]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:47:16 sapphire sshd[5153]: Did not receive identification string from 221.231.150.248
Oct  4 13:51:05 sapphire sshd[5837]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:07 sapphire sshd[5839]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:08 sapphire sshd[5841]: Invalid user admin from 221.231.150.248
Oct  4 13:51:10 sapphire sshd[5843]: Invalid user admin from 221.231.150.248
Oct  4 13:51:12 sapphire sshd[5845]: Invalid user test from 221.231.150.248
Oct  4 16:48:13 sapphire sshd[8049]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:16 sapphire sshd[8051]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:18 sapphire sshd[8053]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:22 sapphire sshd[8055]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:25 sapphire sshd[8057]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 17:56:38 sapphire sshd[8788]: Invalid user test from 60.191.2.228
Oct  4 17:56:40 sapphire sshd[8790]: Invalid user test1 from 60.191.2.228
Oct  4 17:56:42 sapphire sshd[8792]: Invalid user ftp from 60.191.2.228
Oct  4 17:56:44 sapphire sshd[8794]: Invalid user oracle from 60.191.2.228
Oct  4 17:56:46 sapphire sshd[8796]: Invalid user nagios from 60.191.2.228
Oct  4 21:30:16 sapphire sshd[11427]: Did not receive identification string from 202.6.230.10
Oct  4 21:34:15 sapphire sshd[11484]: User root from 202.6.230.10 not allowed because not listed in AllowUsers
Oct  4 22:24:12 sapphire sshd[11892]: Did not receive identification string from 118.97.7.82
Oct  4 22:42:39 sapphire sshd[12004]: Invalid user webmaster from 118.97.7.82
Oct  4 22:42:41 sapphire sshd[12006]: User root from 118.97.7.82 not allowed because not listed in AllowUsers
Oct  4 22:42:43 sapphire sshd[12008]: Invalid user ftp from 118.97.7.82
Oct  4 22:42:45 sapphire sshd[12010]: Invalid user sales from 118.97.7.82
Oct  4 22:42:47 sapphire sshd[12012]: Invalid user admin from 118.97.7.82
Oct  5 07:11:07 sapphire sshd[19909]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:09 sapphire sshd[19911]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:11 sapphire sshd[19913]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:13 sapphire sshd[19915]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:15 sapphire sshd[19917]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 11:55:16 sapphire sshd[23196]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:18 sapphire sshd[23198]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:20 sapphire sshd[23200]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:22 sapphire sshd[23202]: Invalid user roo from 222.186.23.134
Oct  5 11:55:24 sapphire sshd[23204]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  6 06:51:49 sapphire sshd[38994]: Did not receive identification string from 202.57.41.60
Oct  6 13:20:18 sapphire sshd[44247]: Invalid user sato from 58.180.45.71
Oct  6 13:20:21 sapphire sshd[44249]: Invalid user suzuki from 58.180.45.71
Oct  6 13:20:28 sapphire sshd[44252]: Invalid user takahashi from 58.180.45.71
Oct  6 13:20:30 sapphire sshd[44254]: Invalid user tanaka from 58.180.45.71
Oct  6 13:20:35 sapphire sshd[44256]: Invalid user watanabe from 58.180.45.71
Oct  6 15:36:53 sapphire sshd[45503]: Did not receive identification string from 211.140.3.214
Oct  6 15:40:25 sapphire sshd[45521]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:27 sapphire sshd[45523]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:30 sapphire sshd[45525]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:31 sapphire sshd[45527]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 16:13:46 sapphire sshd[46124]: Did not receive identification string from 69.64.93.42
Oct  6 16:16:55 sapphire sshd[46185]: Did not receive identification string from 86.65.178.42
Oct  6 16:18:10 sapphire sshd[46218]: User root from 69.64.93.42 not allowed because not listed in AllowUsers
Oct  6 16:18:12 sapphire sshd[46220]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:14 sapphire sshd[46222]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:16 sapphire sshd[46224]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:20:38 sapphire sshd[46271]: User root from 86.65.178.42 not allowed because not listed in AllowUsers
Oct  6 16:20:41 sapphire sshd[46273]: Invalid user fluffy from 86.65.178.42
Oct  6 16:20:44 sapphire sshd[46275]: Invalid user admin from 86.65.178.42
Oct  6 16:20:46 sapphire sshd[46277]: Invalid user test from 86.65.178.42
Oct  6 18:27:52 sapphire sshd[13423]: Did not receive identification string from 222.236.47.48
Oct  6 18:31:39 sapphire sshd[16400]: Invalid user eaguilar from 222.236.47.48
Oct  6 18:31:42 sapphire sshd[16402]: User root from 222.236.47.48 not allowed because not listed in AllowUsers
Oct  6 18:31:45 sapphire sshd[16404]: Invalid user payala from 222.236.47.48
Oct  6 18:31:48 sapphire sshd[16406]: Invalid user estudiante from 222.236.47.48
Oct  6 19:54:42 sapphire sshd[17055]: Invalid user jian from 78.129.203.130
Oct  6 19:54:44 sapphire sshd[17057]: Invalid user jasonbc from 78.129.203.130
Oct  6 19:54:47 sapphire sshd[17059]: Invalid user sua from 78.129.203.130
Oct  6 19:54:50 sapphire sshd[17061]: Invalid user bernie from 78.129.203.130
Oct  6 19:54:53 sapphire sshd[17063]: Invalid user bernie from 78.129.203.130
Oct  6 20:24:26 sapphire sshd[17756]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 20:24:28 sapphire sshd[17758]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:30 sapphire sshd[17760]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:33 sapphire sshd[17762]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:35 sapphire sshd[17764]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 21:15:42 sapphire sshd[18754]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:44 sapphire sshd[18756]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:45 sapphire sshd[18758]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:47 sapphire sshd[18760]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:48 sapphire sshd[18762]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 23:47:47 sapphire sshd[20034]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:49 sapphire sshd[20036]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:52 sapphire sshd[20038]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:54 sapphire sshd[20040]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:56 sapphire sshd[20042]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  7 00:03:48 sapphire sshd[20335]: Invalid user test from 60.31.110.17
Oct  7 00:03:51 sapphire sshd[20337]: Invalid user test1 from 60.31.110.17
Oct  7 00:03:55 sapphire sshd[20339]: Invalid user oracle from 60.31.110.17
Oct  7 00:03:58 sapphire sshd[20341]: Invalid user nagios from 60.31.110.17
Oct  7 00:04:02 sapphire sshd[20343]: User root from 60.31.110.17 not allowed because not listed in AllowUsers
Oct  7 03:20:50 sapphire sshd[24533]: Did not receive identification string from 212.25.36.95
Oct  7 03:43:50 sapphire sshd[24691]: User root from 212.25.36.95 not allowed because not listed in AllowUsers
Oct  7 03:43:53 sapphire sshd[24693]: Invalid user delta from 212.25.36.95
Oct  7 03:43:56 sapphire sshd[24695]: Invalid user admin from 212.25.36.95
Oct  7 03:43:59 sapphire sshd[24697]: Invalid user test from 212.25.36.95
Oct  7 03:44:03 sapphire sshd[24725]: Invalid user testing from 212.25.36.95
Oct  7 10:03:11 sapphire sshd[29896]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:15 sapphire sshd[29898]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:19 sapphire sshd[29900]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:22 sapphire sshd[29902]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:26 sapphire sshd[29904]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:37 sapphire sshd[29910]: Did not receive identification string from 203.92.35.148
Oct  7 11:02:52 sapphire sshd[1850]: Received signal 15; terminating.
Oct  7 11:07:43 sapphire sshd[1895]: Server listening on 202.190.74.44 port 22.
Oct  7 11:07:44 sapphire sshd[1983]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:44 sapphire sshd[1984]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:45 sapphire sshd[1985]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:46 sapphire sshd[1991]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:48 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:58 sapphire sshd[1997]: Did not receive identification string from 12.47.107.4
Oct  7 11:16:52 sapphire sshd[47265]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:52 sapphire sshd[47266]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47534]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47574]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:01 sapphire sshd[48389]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:03 sapphire sshd[48481]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 12:07:15 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2001]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2002]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2004]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2005]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:29 sapphire sshd[2016]: Did not receive identification string from 12.47.107.4
Oct  7 15:17:22 sapphire sshd[4376]: Did not receive identification string from 202.166.200.106
Oct  7 15:20:50 sapphire sshd[4389]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:52 sapphire sshd[4391]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:54 sapphire sshd[4393]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:55 sapphire sshd[4395]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:57 sapphire sshd[4397]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:21:06 sapphire sshd[4399]: User root from 202.166.200.106 not allowed because not listed in AllowUsers
Oct  7 15:21:11 sapphire sshd[4403]: Invalid user fluffy from 202.166.200.106
Oct  7 15:21:15 sapphire sshd[4405]: Invalid user admin from 202.166.200.106
Oct  7 15:21:22 sapphire sshd[4407]: Invalid user test from 202.166.200.106
Oct  7 19:34:59 sapphire sshd[7443]: Did not receive identification string from 203.116.18.173
Oct  8 03:52:42 sapphire sshd[15291]: Invalid user svn from 91.199.58.35
Oct  8 03:52:45 sapphire sshd[15293]: Invalid user postgres from 91.199.58.35
Oct  8 03:52:48 sapphire sshd[15295]: Invalid user user1 from 91.199.58.35
Oct  8 03:52:51 sapphire sshd[15297]: Invalid user testuser from 91.199.58.35
Oct  8 03:52:54 sapphire sshd[15299]: Invalid user test1 from 91.199.58.35
Oct  8 03:54:40 sapphire sshd[15301]: Invalid user svn from 91.199.58.35
Oct  8 08:34:29 sapphire sshd[19138]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:30 sapphire sshd[19140]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:32 sapphire sshd[19142]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:34 sapphire sshd[19144]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:35 sapphire sshd[19146]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 11:50:51 sapphire sshd[21363]: Did not receive identification string from 174.34.129.66
Oct  8 12:37:50 sapphire sshd[22406]: Did not receive identification string from 202.116.0.145
Oct  8 13:14:26 sapphire sshd[23089]: Did not receive identification string from 190.24.138.77
Oct  8 13:45:43 sapphire sshd[23380]: Invalid user rfmngr from 190.24.138.77
Oct  8 13:45:46 sapphire sshd[23382]: Invalid user sales from 190.24.138.77
Oct  8 13:45:48 sapphire sshd[23384]: Invalid user recruit from 190.24.138.77
Oct  8 13:45:51 sapphire sshd[23386]: Invalid user alias from 190.24.138.77
Oct  8 13:45:53 sapphire sshd[23388]: Invalid user office from 190.24.138.77
Oct  8 14:38:56 sapphire sshd[23829]: Did not receive identification string from 218.246.196.3
Oct  8 14:52:25 sapphire sshd[23923]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:28 sapphire sshd[23925]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:30 sapphire sshd[23927]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:32 sapphire sshd[23929]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:35 sapphire sshd[23931]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 15:59:31 sapphire sshd[24563]: Did not receive identification string from 210.109.48.22
Oct  8 18:13:25 sapphire sshd[26863]: Did not receive identification string from 59.41.254.83
Oct  8 20:13:02 sapphire sshd[28089]: Did not receive identification string from 203.65.162.165
Oct  8 22:39:07 sapphire sshd[30127]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:09 sapphire sshd[30129]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:10 sapphire sshd[30131]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:11 sapphire sshd[30133]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:12 sapphire sshd[30135]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  9 01:33:45 sapphire sshd[32583]: Did not receive identification string from 203.200.81.104
Oct  9 02:19:08 sapphire sshd[32934]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:12 sapphire sshd[32936]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:16 sapphire sshd[32938]: Invalid user apple from 203.200.81.104
Oct  9 02:19:20 sapphire sshd[32940]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:24 sapphire sshd[32942]: Invalid user brian from 203.200.81.104
Oct  9 02:51:05 sapphire sshd[33191]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:09 sapphire sshd[33193]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:12 sapphire sshd[33195]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:15 sapphire sshd[33197]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:19 sapphire sshd[33199]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 06:00:49 sapphire sshd[37450]: Did not receive identification string from 219.234.93.101
Oct  9 06:09:47 sapphire sshd[37465]: Invalid user mary from 219.234.93.101
Oct  9 06:09:49 sapphire sshd[37467]: Invalid user mary from 219.234.93.101
Oct  9 06:09:51 sapphire sshd[37469]: Invalid user mary from 219.234.93.101
Oct  9 06:09:53 sapphire sshd[37471]: Invalid user mary from 219.234.93.101
Oct  9 06:09:55 sapphire sshd[37473]: Invalid user mary from 219.234.93.101
Oct  9 06:51:00 sapphire sshd[37807]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:02 sapphire sshd[37809]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:04 sapphire sshd[37811]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:07 sapphire sshd[37813]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:09 sapphire sshd[37815]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 12:10:08 sapphire sshd[41569]: Did not receive identification string from 60.54.54.62
Oct  9 12:23:01 sapphire sshd[41878]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:04 sapphire sshd[41895]: Invalid user admin from 60.54.54.62
Oct  9 12:23:10 sapphire sshd[41897]: Invalid user test from 60.54.54.62
Oct  9 12:23:12 sapphire sshd[41899]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:14 sapphire sshd[41901]: Invalid user ghost from 60.54.54.62

Just to share the method I have been using for years. There are many ssh brute-force attack prevention tools out there to choose from. But I still prefer simple way by using PF and ssh pubkey for ssh access. With PF, it is just simple 3 line of rules to keep the kiddos out.

table <badguy> persist
block in quick on $ext_if from <badguy> to ($ext_if) port 22
pass  in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 \
 keep state(max-src-conn 6, max-src-conn-rate 5/300, overload <badguy> flush global)

* Explanation on pf rules:-

Line #1Create pf table <badguy>

Line #2block connection attempt from hosts in table <badguy> to port 22

Line #3Allow connection to port 22, limiting src to 6 at a rate of 5 within 300s. Place offending host IP to <badguy> table.
max-src-connmaximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make
max-src-conn-rateLimit the rate of new connections to a certain amount per time interval. In this example 5 connections within 300 seconds
overload <badguy>Put an offending host’s IP address into the “badguy” table.
flush globalKill all states matching this source IP.

From the auth.log, you probably noticed that max of 5 attempts for same connection and they are gone. That is how effective PF is. You can look up the OpenBSD PF FAQ for more information on the syntax.

pfctl is nifty for displaying bad guys in table <badguy>.
# pfctl -T show -t badguy

   12.47.107.4
   60.54.54.62
   91.199.58.35
   122.160.240.133
   122.200.82.181
   122.224.69.38
   190.24.138.77
   200.35.146.176
   202.166.200.106
   203.116.198.165
   203.200.81.104
   218.246.196.3
   219.234.93.101

False alarm? pfctl is still handy. Just remove the IP address from the table.

# pfctl -T delete -t badguy 219.234.93.101

From logging (with passive OS detection), it showed that 100% hosts that have been brute-forcing are running Linux. I’m seriously considering placing this line in pf.conf and the world will be peaceful place. :P

block in quick on $ext_if from any os "Linux" to ($ext_if) port 22

Friday, October 9th, 2009

FreeBSD, Howto, OpenBSD, Security No Comments