Everyday people try to hack in with ssh.



  • My firewall log report everyday got different ip come and try ssh my pfsense. I wonder why it could happen and want to really know how to prevent this. Also is there a way to block or blacklisted them? Or might even try to hack back to them hahaha :)

    Some of it;

    Apr 11 23:22:16 sshd[19980]: Failed password for invalid user boryce from 58.211.5.179 port 40799 ssh2
    Apr 11 23:22:16 sshd[19980]: Invalid user boryce from 58.211.5.179
    Apr 11 23:22:16 sshd[19978]: Failed password for invalid user cwc from 58.211.5.179 port 40724 ssh2
    Apr 11 23:22:16 sshd[19978]: Invalid user cwc from 58.211.5.179
    Apr 11 23:22:15 sshd[19976]: Failed password for invalid user test from 58.211.5.179 port 40662 ssh2
    Apr 11 23:22:15 sshd[19976]: Invalid user test from 58.211.5.179
    Apr 11 23:22:14 sshd[19974]: Failed password for invalid user oracle from 58.211.5.179 port 40569 ssh2
    Apr 11 23:22:14 sshd[19974]: Invalid user oracle from 58.211.5.179
    Apr 12 00:26:17 sshd[27178]: Failed password for root from 211.147.224.157 port 57292 ssh2
    Apr 12 00:26:16 sshd[27167]: Failed password for root from 211.147.224.157 port 57207 ssh2
    Apr 12 00:26:15 sshd[27165]: Failed password for root from 211.147.224.157 port 57131 ssh2
    Apr 12 00:26:15 sshd[27163]: Failed password for root from 211.147.224.157 port 57063 ssh2
    Apr 12 00:26:14 sshd[27161]: Failed password for root from 211.147.224.157 port 56988 ssh2
    Apr 12 00:26:14 sshd[27159]: Failed password for root from 211.147.224.157 port 56935 ssh2
    Apr 12 00:26:13 sshd[27155]: Failed password for root from 211.147.224.157 port 56875 ssh2
    Apr 12 00:26:13 sshd[27152]: Failed password for root from 211.147.224.157 port 56821 ssh2
    Apr 12 00:26:12 sshd[27137]: Failed password for root from 211.147.224.157 port 56762 ssh2
    Apr 12 00:26:12 sshd[27083]: Failed password for root from 211.147.224.157 port 56699 ssh2
    Apr 12 00:26:11 sshd[27081]: Failed password for root from 211.147.224.157 port 56637 ssh2
    Apr 12 02:39:18 sshd[41188]: Failed keyboard-interactive/pam for root from 41.234.132.159 port 4470 ssh2
    Apr 12 02:39:18 sshd[41188]: error: PAM: authentication error for root from 41.234.132.159
    Apr 12 02:39:16 sshd[41188]: Failed keyboard-interactive/pam for root from 41.234.132.159 port 4470 ssh2
    Apr 12 02:39:16 sshd[41188]: error: PAM: authentication error for root from 41.234.132.159
    Apr 12 02:39:15 sshd[41188]: Failed keyboard-interactive/pam for root from 41.234.132.159 port 4470 ssh2
    Apr 12 02:39:15 sshd[41188]: error: PAM: authentication error for root from 41.234.132.159
    Apr 12 02:39:15 sshd[41188]: error: PAM: authentication error for root from 41.234.132.159
    Apr 12 02:39:14 sshd[41185]: Failed keyboard-interactive/pam for root from 41.234.132.159 port 4428 ssh2
    Apr 12 02:39:14 sshd[41185]: error: PAM: authentication error for root from 41.234.132.159
    Apr 12 02:39:14 sshd[41185]: error: PAM: authentication error for root from 41.234.132.159
    Apr 12 02:39:13 sshd[41188]: Failed keyboard-interactive/pam for root from 41.234.132.159 port 4470 ssh2
    Apr 12 02:39:13 sshd[41188]: error: PAM: authentication error for root from 41.234.132.159



  • I get tons of SSH hack attempts on my pfSense box and my linux server as well.  Most of the attacks come from zombie computers that are part of a botnet. There are a few things you can do to prevent them.

    1. Change the default ssh port - this will confuse most of the bots that look on port 22
    2. Setup key based authentication - this may not be feasible

    I find it to be much more fun to blacklist the attackers and report them to their ISP.

    If you want to go this route you can install Denyhosts, pfSense 1.2.3 has a package for it, 2.0 does not yet.  Although it can be setup manually if you have a bit of experience.  Denyhosts will look through your logs for these failed logins and add an entry for the attacker to /etc/hosts.deny blocking further attempts.

    There is a plugin for denyhosts called report-hack-isp that will automatically send a report with log exceprts to the owner of the IP address.  I receive quite a few responses back from the ISP's letting me know they resolved the infected computer.

    These links might be useful
    http://denyhosts.sourceforge.net/
    http://hubpages.com/hub/How-to-prevent-SSH-brute-force-attacks-using-DenyHosts
    https://github.com/nazar/report-hack-isp


  • Rebel Alliance Developer Netgate

    And the best option: Don't expose your ssh port to the world.

    Both 1 and 2 of skear's suggestions are good, but if your ssh port isn't open to the world, then you don't need other protections (but they don't hurt)

    On 2.0 sshlockout will block hosts that have repeated failed login attempts, no need for something extra like denyhosts.



  • :D Thanks Guys. Pfsense forum is great. i will only open 22 while i need it via webgui by public ip. Is it safer?



  • @skear:

    I get tons of SSH hack attempts on my pfSense box and my linux server as well.  Most of the attacks come from zombie computers that are part of a botnet. There are a few things you can do to prevent them.

    1. Change the default ssh port - this will confuse most of the bots that look on port 22
    2. Setup key based authentication - this may not be feasible

    I find it to be much more fun to blacklist the attackers and report them to their ISP.

    If you want to go this route you can install Denyhosts, pfSense 1.2.3 has a package for it, 2.0 does not yet.  Although it can be setup manually if you have a bit of experience.  Denyhosts will look through your logs for these failed logins and add an entry for the attacker to /etc/hosts.deny blocking further attempts.

    There is a plugin for denyhosts called report-hack-isp that will automatically send a report with log exceprts to the owner of the IP address.  I receive quite a few responses back from the ISP's letting me know they resolved the infected computer.

    These links might be useful
    http://denyhosts.sourceforge.net/
    http://hubpages.com/hub/How-to-prevent-SSH-brute-force-attacks-using-DenyHosts
    https://github.com/nazar/report-hack-isp

    Interesting.  I've been using Snort to block attacks on my system.  I'll have to check out denyhosts.



  • @novex:

    :D Thanks Guys. Pfsense forum is great. i will only open 22 while i need it via webgui by public ip. Is it safer?

    No, because if you cannot access to the web interface you will not be able to open the SSH port.
    Use a non default port for SSH, for example 8022!



  • Non default ports do not add security.  Do not expose SSH, if you must, limit the IP addresses which can access it and use key based authentication instead of password based authentication.



  • Of course a non-standard port adds security.  How much is a debatable question, but I know from my own experience (and others) that we see far fewer attempts on non-standard ports than the standard port 22.



  • It adds obscurity, not security. That it stops the automated tools is certainly convenient though ;)



  • Well, now we're quibbling about the definition of security :)  I don't see this any different from having a harder to guess password - something everyone says "adds security".



  • I always use certificate based authentication on my ssh servers. I've never had to worry about a brute-force attack as a result.



  • @danswartz:

    Of course a non-standard port adds security.  How much is a debatable question, but I know from my own experience (and others) that we see far fewer attempts on non-standard ports than the standard port 22.

    You're talking about security theater instead of security.  Having SSH on a non-standard port doesn't protect against service scanning, it just limits the number of robot-scanners trying to guess bad passwords.  If you are running a vulnerable SSHd, or you have bad passwords in place, running SSH on a non-standard port isn't going to protect you.



  • I think we have to agree to disagree here.  As far as weak passwords or exploitable sshd, nice strawman - I never said otherwise.  Again, if you have to try 20000 different ports * N different passwords, this is several orders of magnitude more difficult than hitting one well-known port.  By your logic, having a longer password with mixed case, etc, is just security theater?  If not, please explain more clearly why one is good and the other theater?



  • In real world terms:

    • Moving your SSH port is like moving where the lock on the door is - it'll stop dumb automated attacks but nothing more

    • Picking a strong password is like picking a strong lock - it makes it harder for every attacker

    That's not to say that there isn't a slight gain from moving the port (I do it myself to cut down the noise in my logs), but it isn't really security in any meaningful sense.



  • Well, all I can say is if it only really helps against dumb automated scanners, that is the great preponderance of threats to ssh (I say this not just from personal experience, but from a wide range of people I've talked to, who monitor any attempts to hack their systems.)



  • Which is the point of our argument.  Automated scanners trying to guess obvious passwords are already defeated either by using good password security, ACLs or key based authentication.  Changing the default port adds no additional security.



  • Okay, I see your point.  I was looking at it from the PoV of someone's home network trying to figure out how to reduce threats, but yeah, you have a point.


  • Rebel Alliance Developer Netgate

    Changing to an alternate port does help cut down on log spam though, and if your logs are more relevant it's easier to spot a potential security issue or targeted breach when you don't have to sort through a bazillion automated attacks.


Log in to reply