Archive for the ‘OpenBSD’ Category

ssh brute force is still popular?

This is really old old old old stuff. But it still seems popular these days. Lots of script kiddies are out there I guess. My auth.log was harassed, flooded with ssh brute-force attacks.

Oct  1 10:13:50 sapphire sshd[43770]: Did not receive identification string from 202.150.213.94
Oct  1 12:40:35 sapphire sshd[45755]: Did not receive identification string from 212.122.224.24
Oct  1 20:15:14 sapphire sshd[51438]: Did not receive identification string from 219.239.17.98
Oct  1 20:19:08 sapphire sshd[51504]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:11 sapphire sshd[51507]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:16 sapphire sshd[51509]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:24 sapphire sshd[51511]: Invalid user oper from 219.239.17.98
Oct  1 20:19:51 sapphire sshd[51513]: Did not receive identification string from 219.239.17.98
Oct  1 21:18:01 sapphire sshd[52675]: Did not receive identification string from 202.57.41.60
Oct  1 23:10:09 sapphire sshd[53993]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:11 sapphire sshd[53995]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:15 sapphire sshd[53997]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:21 sapphire sshd[53999]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:24 sapphire sshd[54001]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  2 00:17:12 sapphire sshd[54918]: Did not receive identification string from 202.57.41.60
Oct  2 02:03:01 sapphire sshd[56453]: Did not receive identification string from 190.12.66.77
Oct  2 02:06:39 sapphire sshd[56484]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:41 sapphire sshd[56486]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:44 sapphire sshd[56488]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:47 sapphire sshd[56490]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  3 00:10:44 sapphire sshd[73858]: Did not receive identification string from 82.138.1.46
Oct  3 00:14:10 sapphire sshd[73974]: Invalid user admin from 82.138.1.46
Oct  3 00:14:14 sapphire sshd[73976]: User root from 82.138.1.46 not allowed because not listed in AllowUsers
Oct  3 00:14:17 sapphire sshd[73978]: Invalid user stud from 82.138.1.46
Oct  3 00:14:20 sapphire sshd[73980]: Invalid user trash from 82.138.1.46
Oct  3 00:57:23 sapphire sshd[74952]: Did not receive identification string from 85.46.29.147
Oct  3 01:06:54 sapphire sshd[75084]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:06:57 sapphire sshd[75086]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:00 sapphire sshd[75088]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:04 sapphire sshd[75090]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:07 sapphire sshd[75092]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 09:33:55 sapphire sshd[83042]: Did not receive identification string from 200.46.247.78
Oct  3 10:13:44 sapphire sshd[83372]: Invalid user staff from 200.46.247.78
Oct  3 10:13:47 sapphire sshd[83374]: Invalid user sales from 200.46.247.78
Oct  3 10:13:49 sapphire sshd[83376]: Invalid user recruit from 200.46.247.78
Oct  3 10:13:52 sapphire sshd[83378]: Invalid user alias from 200.46.247.78
Oct  3 10:13:54 sapphire sshd[83380]: Invalid user office from 200.46.247.78
Oct  4 01:26:40 sapphire sshd[95219]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:43 sapphire sshd[95221]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:46 sapphire sshd[95223]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:50 sapphire sshd[95225]: Invalid user oracle from 60.217.229.222
Oct  4 02:13:46 sapphire sshd[95625]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:49 sapphire sshd[95627]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:52 sapphire sshd[95629]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:54 sapphire sshd[95631]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:57 sapphire sshd[95633]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:14:02 sapphire sshd[95635]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 08:02:10 sapphire sshd[1258]: Did not receive identification string from 203.116.18.173
Oct  4 12:11:38 sapphire sshd[4353]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:40 sapphire sshd[4355]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:42 sapphire sshd[4357]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:44 sapphire sshd[4359]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:46 sapphire sshd[4361]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:47:16 sapphire sshd[5153]: Did not receive identification string from 221.231.150.248
Oct  4 13:51:05 sapphire sshd[5837]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:07 sapphire sshd[5839]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:08 sapphire sshd[5841]: Invalid user admin from 221.231.150.248
Oct  4 13:51:10 sapphire sshd[5843]: Invalid user admin from 221.231.150.248
Oct  4 13:51:12 sapphire sshd[5845]: Invalid user test from 221.231.150.248
Oct  4 16:48:13 sapphire sshd[8049]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:16 sapphire sshd[8051]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:18 sapphire sshd[8053]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:22 sapphire sshd[8055]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:25 sapphire sshd[8057]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 17:56:38 sapphire sshd[8788]: Invalid user test from 60.191.2.228
Oct  4 17:56:40 sapphire sshd[8790]: Invalid user test1 from 60.191.2.228
Oct  4 17:56:42 sapphire sshd[8792]: Invalid user ftp from 60.191.2.228
Oct  4 17:56:44 sapphire sshd[8794]: Invalid user oracle from 60.191.2.228
Oct  4 17:56:46 sapphire sshd[8796]: Invalid user nagios from 60.191.2.228
Oct  4 21:30:16 sapphire sshd[11427]: Did not receive identification string from 202.6.230.10
Oct  4 21:34:15 sapphire sshd[11484]: User root from 202.6.230.10 not allowed because not listed in AllowUsers
Oct  4 22:24:12 sapphire sshd[11892]: Did not receive identification string from 118.97.7.82
Oct  4 22:42:39 sapphire sshd[12004]: Invalid user webmaster from 118.97.7.82
Oct  4 22:42:41 sapphire sshd[12006]: User root from 118.97.7.82 not allowed because not listed in AllowUsers
Oct  4 22:42:43 sapphire sshd[12008]: Invalid user ftp from 118.97.7.82
Oct  4 22:42:45 sapphire sshd[12010]: Invalid user sales from 118.97.7.82
Oct  4 22:42:47 sapphire sshd[12012]: Invalid user admin from 118.97.7.82
Oct  5 07:11:07 sapphire sshd[19909]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:09 sapphire sshd[19911]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:11 sapphire sshd[19913]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:13 sapphire sshd[19915]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:15 sapphire sshd[19917]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 11:55:16 sapphire sshd[23196]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:18 sapphire sshd[23198]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:20 sapphire sshd[23200]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:22 sapphire sshd[23202]: Invalid user roo from 222.186.23.134
Oct  5 11:55:24 sapphire sshd[23204]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  6 06:51:49 sapphire sshd[38994]: Did not receive identification string from 202.57.41.60
Oct  6 13:20:18 sapphire sshd[44247]: Invalid user sato from 58.180.45.71
Oct  6 13:20:21 sapphire sshd[44249]: Invalid user suzuki from 58.180.45.71
Oct  6 13:20:28 sapphire sshd[44252]: Invalid user takahashi from 58.180.45.71
Oct  6 13:20:30 sapphire sshd[44254]: Invalid user tanaka from 58.180.45.71
Oct  6 13:20:35 sapphire sshd[44256]: Invalid user watanabe from 58.180.45.71
Oct  6 15:36:53 sapphire sshd[45503]: Did not receive identification string from 211.140.3.214
Oct  6 15:40:25 sapphire sshd[45521]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:27 sapphire sshd[45523]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:30 sapphire sshd[45525]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:31 sapphire sshd[45527]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 16:13:46 sapphire sshd[46124]: Did not receive identification string from 69.64.93.42
Oct  6 16:16:55 sapphire sshd[46185]: Did not receive identification string from 86.65.178.42
Oct  6 16:18:10 sapphire sshd[46218]: User root from 69.64.93.42 not allowed because not listed in AllowUsers
Oct  6 16:18:12 sapphire sshd[46220]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:14 sapphire sshd[46222]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:16 sapphire sshd[46224]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:20:38 sapphire sshd[46271]: User root from 86.65.178.42 not allowed because not listed in AllowUsers
Oct  6 16:20:41 sapphire sshd[46273]: Invalid user fluffy from 86.65.178.42
Oct  6 16:20:44 sapphire sshd[46275]: Invalid user admin from 86.65.178.42
Oct  6 16:20:46 sapphire sshd[46277]: Invalid user test from 86.65.178.42
Oct  6 18:27:52 sapphire sshd[13423]: Did not receive identification string from 222.236.47.48
Oct  6 18:31:39 sapphire sshd[16400]: Invalid user eaguilar from 222.236.47.48
Oct  6 18:31:42 sapphire sshd[16402]: User root from 222.236.47.48 not allowed because not listed in AllowUsers
Oct  6 18:31:45 sapphire sshd[16404]: Invalid user payala from 222.236.47.48
Oct  6 18:31:48 sapphire sshd[16406]: Invalid user estudiante from 222.236.47.48
Oct  6 19:54:42 sapphire sshd[17055]: Invalid user jian from 78.129.203.130
Oct  6 19:54:44 sapphire sshd[17057]: Invalid user jasonbc from 78.129.203.130
Oct  6 19:54:47 sapphire sshd[17059]: Invalid user sua from 78.129.203.130
Oct  6 19:54:50 sapphire sshd[17061]: Invalid user bernie from 78.129.203.130
Oct  6 19:54:53 sapphire sshd[17063]: Invalid user bernie from 78.129.203.130
Oct  6 20:24:26 sapphire sshd[17756]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 20:24:28 sapphire sshd[17758]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:30 sapphire sshd[17760]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:33 sapphire sshd[17762]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:35 sapphire sshd[17764]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 21:15:42 sapphire sshd[18754]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:44 sapphire sshd[18756]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:45 sapphire sshd[18758]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:47 sapphire sshd[18760]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:48 sapphire sshd[18762]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 23:47:47 sapphire sshd[20034]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:49 sapphire sshd[20036]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:52 sapphire sshd[20038]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:54 sapphire sshd[20040]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:56 sapphire sshd[20042]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  7 00:03:48 sapphire sshd[20335]: Invalid user test from 60.31.110.17
Oct  7 00:03:51 sapphire sshd[20337]: Invalid user test1 from 60.31.110.17
Oct  7 00:03:55 sapphire sshd[20339]: Invalid user oracle from 60.31.110.17
Oct  7 00:03:58 sapphire sshd[20341]: Invalid user nagios from 60.31.110.17
Oct  7 00:04:02 sapphire sshd[20343]: User root from 60.31.110.17 not allowed because not listed in AllowUsers
Oct  7 03:20:50 sapphire sshd[24533]: Did not receive identification string from 212.25.36.95
Oct  7 03:43:50 sapphire sshd[24691]: User root from 212.25.36.95 not allowed because not listed in AllowUsers
Oct  7 03:43:53 sapphire sshd[24693]: Invalid user delta from 212.25.36.95
Oct  7 03:43:56 sapphire sshd[24695]: Invalid user admin from 212.25.36.95
Oct  7 03:43:59 sapphire sshd[24697]: Invalid user test from 212.25.36.95
Oct  7 03:44:03 sapphire sshd[24725]: Invalid user testing from 212.25.36.95
Oct  7 10:03:11 sapphire sshd[29896]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:15 sapphire sshd[29898]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:19 sapphire sshd[29900]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:22 sapphire sshd[29902]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:26 sapphire sshd[29904]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:37 sapphire sshd[29910]: Did not receive identification string from 203.92.35.148
Oct  7 11:02:52 sapphire sshd[1850]: Received signal 15; terminating.
Oct  7 11:07:43 sapphire sshd[1895]: Server listening on 202.190.74.44 port 22.
Oct  7 11:07:44 sapphire sshd[1983]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:44 sapphire sshd[1984]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:45 sapphire sshd[1985]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:46 sapphire sshd[1991]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:48 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:58 sapphire sshd[1997]: Did not receive identification string from 12.47.107.4
Oct  7 11:16:52 sapphire sshd[47265]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:52 sapphire sshd[47266]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47534]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47574]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:01 sapphire sshd[48389]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:03 sapphire sshd[48481]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 12:07:15 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2001]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2002]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2004]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2005]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:29 sapphire sshd[2016]: Did not receive identification string from 12.47.107.4
Oct  7 15:17:22 sapphire sshd[4376]: Did not receive identification string from 202.166.200.106
Oct  7 15:20:50 sapphire sshd[4389]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:52 sapphire sshd[4391]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:54 sapphire sshd[4393]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:55 sapphire sshd[4395]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:57 sapphire sshd[4397]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:21:06 sapphire sshd[4399]: User root from 202.166.200.106 not allowed because not listed in AllowUsers
Oct  7 15:21:11 sapphire sshd[4403]: Invalid user fluffy from 202.166.200.106
Oct  7 15:21:15 sapphire sshd[4405]: Invalid user admin from 202.166.200.106
Oct  7 15:21:22 sapphire sshd[4407]: Invalid user test from 202.166.200.106
Oct  7 19:34:59 sapphire sshd[7443]: Did not receive identification string from 203.116.18.173
Oct  8 03:52:42 sapphire sshd[15291]: Invalid user svn from 91.199.58.35
Oct  8 03:52:45 sapphire sshd[15293]: Invalid user postgres from 91.199.58.35
Oct  8 03:52:48 sapphire sshd[15295]: Invalid user user1 from 91.199.58.35
Oct  8 03:52:51 sapphire sshd[15297]: Invalid user testuser from 91.199.58.35
Oct  8 03:52:54 sapphire sshd[15299]: Invalid user test1 from 91.199.58.35
Oct  8 03:54:40 sapphire sshd[15301]: Invalid user svn from 91.199.58.35
Oct  8 08:34:29 sapphire sshd[19138]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:30 sapphire sshd[19140]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:32 sapphire sshd[19142]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:34 sapphire sshd[19144]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:35 sapphire sshd[19146]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 11:50:51 sapphire sshd[21363]: Did not receive identification string from 174.34.129.66
Oct  8 12:37:50 sapphire sshd[22406]: Did not receive identification string from 202.116.0.145
Oct  8 13:14:26 sapphire sshd[23089]: Did not receive identification string from 190.24.138.77
Oct  8 13:45:43 sapphire sshd[23380]: Invalid user rfmngr from 190.24.138.77
Oct  8 13:45:46 sapphire sshd[23382]: Invalid user sales from 190.24.138.77
Oct  8 13:45:48 sapphire sshd[23384]: Invalid user recruit from 190.24.138.77
Oct  8 13:45:51 sapphire sshd[23386]: Invalid user alias from 190.24.138.77
Oct  8 13:45:53 sapphire sshd[23388]: Invalid user office from 190.24.138.77
Oct  8 14:38:56 sapphire sshd[23829]: Did not receive identification string from 218.246.196.3
Oct  8 14:52:25 sapphire sshd[23923]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:28 sapphire sshd[23925]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:30 sapphire sshd[23927]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:32 sapphire sshd[23929]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:35 sapphire sshd[23931]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 15:59:31 sapphire sshd[24563]: Did not receive identification string from 210.109.48.22
Oct  8 18:13:25 sapphire sshd[26863]: Did not receive identification string from 59.41.254.83
Oct  8 20:13:02 sapphire sshd[28089]: Did not receive identification string from 203.65.162.165
Oct  8 22:39:07 sapphire sshd[30127]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:09 sapphire sshd[30129]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:10 sapphire sshd[30131]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:11 sapphire sshd[30133]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:12 sapphire sshd[30135]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  9 01:33:45 sapphire sshd[32583]: Did not receive identification string from 203.200.81.104
Oct  9 02:19:08 sapphire sshd[32934]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:12 sapphire sshd[32936]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:16 sapphire sshd[32938]: Invalid user apple from 203.200.81.104
Oct  9 02:19:20 sapphire sshd[32940]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:24 sapphire sshd[32942]: Invalid user brian from 203.200.81.104
Oct  9 02:51:05 sapphire sshd[33191]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:09 sapphire sshd[33193]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:12 sapphire sshd[33195]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:15 sapphire sshd[33197]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:19 sapphire sshd[33199]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 06:00:49 sapphire sshd[37450]: Did not receive identification string from 219.234.93.101
Oct  9 06:09:47 sapphire sshd[37465]: Invalid user mary from 219.234.93.101
Oct  9 06:09:49 sapphire sshd[37467]: Invalid user mary from 219.234.93.101
Oct  9 06:09:51 sapphire sshd[37469]: Invalid user mary from 219.234.93.101
Oct  9 06:09:53 sapphire sshd[37471]: Invalid user mary from 219.234.93.101
Oct  9 06:09:55 sapphire sshd[37473]: Invalid user mary from 219.234.93.101
Oct  9 06:51:00 sapphire sshd[37807]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:02 sapphire sshd[37809]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:04 sapphire sshd[37811]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:07 sapphire sshd[37813]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:09 sapphire sshd[37815]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 12:10:08 sapphire sshd[41569]: Did not receive identification string from 60.54.54.62
Oct  9 12:23:01 sapphire sshd[41878]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:04 sapphire sshd[41895]: Invalid user admin from 60.54.54.62
Oct  9 12:23:10 sapphire sshd[41897]: Invalid user test from 60.54.54.62
Oct  9 12:23:12 sapphire sshd[41899]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:14 sapphire sshd[41901]: Invalid user ghost from 60.54.54.62

Just to share the method I have been using for years. There are many ssh brute-force attack prevention tools out there to choose from. But I still prefer simple way by using PF and ssh pubkey for ssh access. With PF, it is just simple 3 line of rules to keep the kiddos out.

table <badguy> persist
block in quick on $ext_if from <badguy> to ($ext_if) port 22
pass  in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 \
 keep state(max-src-conn 6, max-src-conn-rate 5/300, overload <badguy> flush global)

* Explanation on pf rules:-

Line #1Create pf table <badguy>

Line #2block connection attempt from hosts in table <badguy> to port 22

Line #3Allow connection to port 22, limiting src to 6 at a rate of 5 within 300s. Place offending host IP to <badguy> table.
max-src-connmaximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make
max-src-conn-rateLimit the rate of new connections to a certain amount per time interval. In this example 5 connections within 300 seconds
overload <badguy>Put an offending host’s IP address into the “badguy” table.
flush globalKill all states matching this source IP.

From the auth.log, you probably noticed that max of 5 attempts for same connection and they are gone. That is how effective PF is. You can look up the OpenBSD PF FAQ for more information on the syntax.

pfctl is nifty for displaying bad guys in table <badguy>.
# pfctl -T show -t badguy

   12.47.107.4
   60.54.54.62
   91.199.58.35
   122.160.240.133
   122.200.82.181
   122.224.69.38
   190.24.138.77
   200.35.146.176
   202.166.200.106
   203.116.198.165
   203.200.81.104
   218.246.196.3
   219.234.93.101

False alarm? pfctl is still handy. Just remove the IP address from the table.

# pfctl -T delete -t badguy 219.234.93.101

From logging (with passive OS detection), it showed that 100% hosts that have been brute-forcing are running Linux. I’m seriously considering placing this line in pf.conf and the world will be peaceful place. :P

block in quick on $ext_if from any os "Linux" to ($ext_if) port 22

Friday, October 9th, 2009

FreeBSD, Howto, OpenBSD, Security No Comments

FreeBSD : Inexpensive and simple swap encryption

It has been a while that I did not put up any post. Here a short note on swap space encryption with FreeBSD geom geli(8). This feature was there for quite sometimes.

Enabling swapspace encryption with geli

Only 2 files are required to be edited, /etc/fstab and /boot/loader.conf. Change your swap partition in /etc/fstab with suffix “.eli” (i.e. ad1s1b.eli) and enable geom_eli kernel module in /boot/loader.conf with “geom_eli_load=”YES”“. Your swap space will be encrypted on next reboot.

Alternatively, you can enable it without reboot with the steps below.

# swapoff /dev/ad0s1b

# kldload geom_eli

# geli onetime -e blowfish -l 128 -s 4096 -d ad0s1b

# swapon /dev/ad0s1b.eli

Note : you can refer to geli(8) manpage for more algorithm options. I used blowfish on the above example.

Verifying if swap space encryption is enabled

# dmesg | grep GEOM_ELI

GEOM_ELI: Device ad0s1b.eli created.
GEOM_ELI: Encryption: Blowfish-CBC 128
GEOM_ELI: Crypto: software

# geli list
Geom name: ad0s1b.eli
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 128
Crypto: software
Flags: ONETIME, W-DETACH, W-OPEN
Providers:
1. Name: ad0s1b.eli
Mediasize: 2147483648 (2.0G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: ad0s1b
Mediasize: 2147483648 (2.0G)
Sectorsize: 512
Mode: r1w1e1

Back in 2003, I used OpenBSD’s sysctl -w vm.swapencrypt.enable=1 or wm.swapencrypt.enable=1 in /etc/sysctl.conf for swap space encryption and this is made default on OpenBSD 4.3. Compare to FreeBSD implementation, OpenBSD’s method is simpler. However, FreeBSD’s geom geli(8) and gbde(8) offers more than just swap space encryption. It gives the capability to encryption disk partition.

More info can be found in the excellent FreeBSD handbook.

http://www.freebsd.org/doc/en/books/handbook/swap-encrypting.html

My usage has not reached the level that requires high confidentiality on storage. Perhaps, I will do a encrypted file system on my portable harddisk for porns next time. :-P

Wednesday, July 30th, 2008

FreeBSD, Howto, OpenBSD No Comments

Custom OpenBSD 4.2 bootable CD


With the release of OpenBSD 4.2, you will find that cdrom42.fs was not provided in OpenBSD official ftp sites. However, it is relatively easy to custom build your own OpenBSD 4.2 bootable installer CD. I will show you the steps in making your own puffer fish El Torito. :-D

CREATE CD STRUCTURE
Create the OpenBSD bootable CD structure with this command,

%mkdir -p ~/OpenBSD/4.2/i386

DOWNLOAD OPENBSD FILES
Use ncftp or wget to download the necessary files off OpenBSD ftp site.

%cd ~/OpenBSD/4.2/i386 && ncftp ftp://ftp.jp.openbsd.org/pub/OpenBSD/4.2/i386
ncftp /OpenBSD/4.2/i386 > get *

Note : install42.iso is a bootable OpenBSD installer by itself. You should exclude that file.

CREATE CDROM42.FS
As this file is absent, creation of cdrom42.fs is required in order to make bootable OpenBSD iso. Bootable “El Torito” CDROMs usually use a boot loader. The loader will boot disk image located inside the iso9660 filesystem. This cdrom42.fs is the file that contains both boot loader and disk image. Not too worry. It is trivial.

Thanks to Rainer Krienke for creating a nice El Torito boot image extractor in PERL, called “geteltorito“. Grab a copy/make executable and extract El Torito boot image from the file cdemu42.iso with this simple command.

%geteltorito cdemu42.iso > cdrom42.fs
Booting catalog starts at sector: 29
Manufacturer of CD: Copyright (c) 2007 Theo
Image architecture: x86
Boot media type is: 2.88meg floppy
El Torito image starts at sector 30 and has 5760 sector(s) of 512 Bytes
Image has been written to stdout ....

CUSTOMIZATION
You can add whatever files you want them to be included. Just copy them to ~/OpenBSD/ . I normally will put stuff like ports.tar.gz, src.tar.gz, sys.tar.gz and etc.

CREATE OPENBSD BOOTABLE INSTALLER CD
mkisofs comes handy in creating our bootable CD. Just issue this command and wait for it to be generated.

%cd ~/OpenBSD && mkisofs -vrTJV "OpenBSD 4.2" -b 4.2/i386/cdrom42.fs -c boot.catalog
-o OpenBSD42.iso ~/OpenBSD/

Now you will have OpenBSD42.iso. Burn it to a blank CD-R and Volia! Do support the OpenBSD project. Buy CD/T-shirt. They look really cool!!

Tuesday, November 6th, 2007

Howto, OpenBSD No Comments