2

I have a linux machine running as a test server. My box redirects my port like 80 directly on this machine. I created it to train all kind of things (raid, tcp...).

Recently I tried to connect to my machine in VNC and I got an error "too many authentification failures" so I checked logs and I got a frightening surprise; someone is trying to connect to my machine by brute force in VNC. Here is a short extract from this log :

04/01/17 13:53:56 Got connection from client 111.73.46.90
04/01/17 13:53:56 Using protocol version 3.3
04/01/17 13:53:56 Too many authentication failures - client rejected
04/01/17 13:53:56 Client 111.73.46.90 gone
04/01/17 13:53:56 Statistics:
04/01/17 13:53:56   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:53:57 Got connection from client 111.73.46.90
04/01/17 13:53:57 Using protocol version 3.3
04/01/17 13:53:57 Too many authentication failures - client rejected
04/01/17 13:53:57 Client 111.73.46.90 gone
04/01/17 13:53:57 Statistics:
04/01/17 13:53:57   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:54:26 Got connection from client 111.73.46.90
04/01/17 13:54:26 Using protocol version 3.3
04/01/17 13:54:26 Too many authentication failures - client rejected
04/01/17 13:54:26 Client 111.73.46.90 gone
04/01/17 13:54:26 Statistics:
04/01/17 13:54:26   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:07 Got connection from client 111.73.46.90
04/01/17 13:56:07 Using protocol version 3.3
04/01/17 13:56:07 Too many authentication failures - client rejected
04/01/17 13:56:07 Client 111.73.46.90 gone
04/01/17 13:56:07 Statistics:
04/01/17 13:56:07   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:08 Got connection from client 111.73.46.90
04/01/17 13:56:08 Using protocol version 3.3
04/01/17 13:56:08 Too many authentication failures - client rejected
04/01/17 13:56:08 Client 111.73.46.90 gone
04/01/17 13:56:08 Statistics:
04/01/17 13:56:08   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:43 Got connection from client 111.73.46.90
04/01/17 13:56:43 Using protocol version 3.3
04/01/17 13:56:43 Too many authentication failures - client rejected
04/01/17 13:56:43 Client 111.73.46.90 gone
04/01/17 13:56:43 Statistics:
04/01/17 13:56:43   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:57:52 Got connection from client 111.73.46.90
04/01/17 13:57:54 Using protocol version 3.3
04/01/17 13:57:54 Too many authentication failures - client rejected
04/01/17 13:57:54 Client 111.73.46.90 gone
04/01/17 13:57:54 Statistics:
04/01/17 13:57:54   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:59:22 Got connection from client 111.73.46.90
04/01/17 13:59:22 Using protocol version 3.3
04/01/17 13:59:22 Too many authentication failures - client rejected
04/01/17 13:59:22 Client 111.73.46.90 gone
04/01/17 13:59:22 Statistics:
04/01/17 13:59:22   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:01:20 Got connection from client 111.73.46.90
04/01/17 14:01:21 Using protocol version 3.3
04/01/17 14:01:21 Too many authentication failures - client rejected
04/01/17 14:01:21 Client 111.73.46.90 gone
04/01/17 14:01:21 Statistics:
04/01/17 14:01:21   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:03:48 Got connection from client 111.73.46.90
04/01/17 14:03:49 Using protocol version 3.3
04/01/17 14:03:49 Too many authentication failures - client rejected
04/01/17 14:03:49 Client 111.73.46.90 gone
04/01/17 14:03:49 Statistics:
04/01/17 14:03:49   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:06:51 Got connection from client 111.73.46.90
04/01/17 14:06:51 Using protocol version 3.3
04/01/17 14:06:51 Too many authentication failures - client rejected
04/01/17 14:06:51 Client 111.73.46.90 gone
04/01/17 14:06:51 Statistics:
04/01/17 14:06:51   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:10:18 Got connection from client 111.73.46.90
04/01/17 14:10:20 Using protocol version 3.3
04/01/17 14:10:20 Too many authentication failures - client rejected
04/01/17 14:10:20 Client 111.73.46.90 gone
04/01/17 14:10:20 Statistics:
04/01/17 14:10:20   framebuffer updates 0, rectangles 0, bytes 0

It's like that from the 29/12/16 but I think the log file just doesn't save further.

I also checked ssh and I had the same thing :

Jan  3 15:18:00 raspberrypi sshd[24434]: Invalid user alan from 193.248.133.13
Jan  3 16:14:38 raspberrypi sshd[24797]: Invalid user vnc from 46.105.137.2
Jan  3 16:36:33 raspberrypi sshd[24951]: Invalid user user from 107.151.213.61
Jan  3 16:36:46 raspberrypi sshd[24956]: Invalid user user from 107.151.213.61
Jan  3 16:37:01 raspberrypi sshd[24965]: Invalid user admin from 107.151.213.61
Jan  3 16:37:18 raspberrypi sshd[24977]: Invalid user admin from 107.151.213.61
Jan  3 17:00:57 raspberrypi sshd[25128]: Invalid user admin from 182.37.8.7
Jan  3 17:07:48 raspberrypi sshd[25182]: Invalid user admin from 122.191.248.96
Jan  3 17:44:38 raspberrypi sshd[25546]: Invalid user admin from 51.15.59.6
Jan  3 17:44:58 raspberrypi sshd[25584]: Invalid user admin from 51.15.59.6
Jan  3 17:45:01 raspberrypi sshd[25588]: Invalid user guest from 51.15.59.6
Jan  3 17:45:02 raspberrypi sshd[25595]: Invalid user guest from 51.15.59.6
Jan  3 17:45:04 raspberrypi sshd[25599]: Invalid user support from 51.15.59.6
Jan  3 17:45:07 raspberrypi sshd[25603]: Invalid user user from 51.15.59.6
Jan  3 17:45:09 raspberrypi sshd[25607]: Invalid user admin from 51.15.59.6
Jan  3 17:45:16 raspberrypi sshd[25621]: Invalid user admin from 51.15.59.6
Jan  3 17:45:19 raspberrypi sshd[25625]: Invalid user test from 51.15.59.6
Jan  3 17:45:20 raspberrypi sshd[25629]: Invalid user vagrant from 51.15.59.6
Jan  3 17:45:25 raspberrypi sshd[25637]: Invalid user ubnt from 51.15.59.6
Jan  3 17:45:26 raspberrypi sshd[25641]: Invalid user guest from 51.15.59.6
Jan  3 17:45:29 raspberrypi sshd[25645]: Invalid user telnet from 51.15.59.6
Jan  3 17:50:33 raspberrypi sshd[25678]: Invalid user demo from 46.105.137.2
Jan  3 18:06:34 raspberrypi sshd[25853]: Invalid user ubnt from 67.204.49.5
Jan  3 19:10:52 raspberrypi sshd[26321]: Invalid user hello from 193.248.133.13
Jan  3 19:26:44 raspberrypi sshd[26435]: Invalid user ubuntu from 46.105.137.2
Jan  3 21:03:17 raspberrypi sshd[27099]: Invalid user ubuntu from 46.105.137.2
Jan  3 21:18:59 raspberrypi sshd[27236]: Invalid user ubnt from 163.172.233.70
Jan  3 21:19:15 raspberrypi sshd[27244]: Invalid user cusadmin from 163.172.233.70
Jan  3 21:19:38 raspberrypi sshd[27258]: Invalid user ts3 from 163.172.233.70
Jan  3 21:19:45 raspberrypi sshd[27262]: Invalid user tf2 from 163.172.233.70
Jan  3 21:19:53 raspberrypi sshd[27268]: Invalid user css from 163.172.233.70
Jan  3 21:20:00 raspberrypi sshd[27276]: Invalid user gmod from 163.172.233.70
Jan  3 21:20:08 raspberrypi sshd[27283]: Invalid user lgsm from 163.172.233.70
Jan  3 21:20:16 raspberrypi sshd[27287]: Invalid user starbound from 163.172.233.70
Jan  3 22:16:37 raspberrypi sshd[27663]: Invalid user admin from 123.31.34.216
Jan  3 22:16:42 raspberrypi sshd[27667]: Invalid user support from 123.31.34.216
Jan  3 22:40:04 raspberrypi sshd[27858]: Invalid user ubuntu from 46.105.137.2
Jan  3 22:41:51 raspberrypi sshd[27878]: Invalid user usuario from 219.140.230.198
Jan  3 23:15:37 raspberrypi sshd[28149]: Invalid user admin from 205.185.192.157
Jan  3 23:30:59 raspberrypi sshd[28279]: Invalid user admin from 179.233.94.73
Jan  4 00:16:13 raspberrypi sshd[28690]: Invalid user ubuntu from 46.105.137.2
Jan  4 01:50:24 raspberrypi sshd[29339]: Invalid user support from 193.248.133.13
Jan  4 01:52:23 raspberrypi sshd[29360]: Invalid user ubuntu from 46.105.137.2
Jan  4 02:05:31 raspberrypi sshd[29461]: Invalid user a from 213.229.108.216
Jan  4 02:05:40 raspberrypi sshd[29465]: Invalid user oracle from 213.229.108.216
Jan  4 02:30:18 raspberrypi sshd[29638]: Invalid user admin from 185.110.132.202
Jan  4 02:30:55 raspberrypi sshd[29647]: Invalid user tomcat7 from 193.248.133.13
Jan  4 02:42:14 raspberrypi sshd[29726]: Invalid user support from 185.110.132.202
Jan  4 02:48:08 raspberrypi sshd[29771]: Invalid user user from 185.110.132.202
Jan  4 02:53:58 raspberrypi sshd[29814]: Invalid user test from 185.110.132.202
Jan  4 02:59:49 raspberrypi sshd[29863]: Invalid user guest from 185.110.132.202
Jan  4 03:05:49 raspberrypi sshd[29911]: Invalid user anonymous from 185.110.132.202
Jan  4 03:11:35 raspberrypi sshd[29950]: Invalid user reception from 193.248.133.13
Jan  4 03:11:42 raspberrypi sshd[29956]: Invalid user ubnt from 185.110.132.202
Jan  4 03:17:38 raspberrypi sshd[29998]: Invalid user dlink from 185.110.132.202
Jan  4 03:23:25 raspberrypi sshd[30065]: Invalid user admin from 185.110.132.202
Jan  4 03:29:11 raspberrypi sshd[30146]: Invalid user ubuntu from 46.105.137.2
Jan  4 03:29:12 raspberrypi sshd[30150]: Invalid user admin from 185.110.132.202
Jan  4 04:42:36 raspberrypi sshd[30965]: Invalid user admin from 37.78.244.206
Jan  4 05:00:29 raspberrypi sshd[31105]: Invalid user admin from 8.26.21.218
Jan  4 05:00:31 raspberrypi sshd[31109]: Invalid user admin from 8.26.21.218
Jan  4 05:00:34 raspberrypi sshd[31113]: Invalid user test from 8.26.21.218
Jan  4 05:00:37 raspberrypi sshd[31117]: Invalid user guest from 8.26.21.218
Jan  4 05:00:40 raspberrypi sshd[31121]: Invalid user user from 8.26.21.218
Jan  4 05:00:43 raspberrypi sshd[31126]: Invalid user admin from 8.26.21.218
Jan  4 05:00:46 raspberrypi sshd[31130]: Invalid user admin from 8.26.21.218
Jan  4 05:00:52 raspberrypi sshd[31138]: Invalid user ubnt from 8.26.21.218
Jan  4 05:05:30 raspberrypi sshd[31173]: Invalid user ubuntu from 46.105.137.2
Jan  4 05:37:33 raspberrypi sshd[31404]: Invalid user admin from 122.189.192.75
Jan  4 06:29:09 raspberrypi sshd[31863]: Invalid user admin from 193.248.133.13
Jan  4 06:42:03 raspberrypi sshd[31957]: Invalid user ubuntu from 46.105.137.2
Jan  4 07:38:42 raspberrypi sshd[32641]: Invalid user admin from 175.20.94.253
Jan  4 09:17:42 raspberrypi sshd[1875]: Invalid user festival from 202.100.245.12
Jan  4 09:51:57 raspberrypi sshd[2482]: Invalid user admin from 95.30.228.51
Jan  4 09:51:58 raspberrypi sshd[2486]: Invalid user admin from 95.30.228.51
Jan  4 09:55:53 raspberrypi sshd[2562]: Invalid user ubuntu from 46.105.137.2
Jan  4 09:59:22 raspberrypi sshd[2652]: Invalid user ts from 70.35.196.91
Jan  4 10:44:10 raspberrypi sshd[3576]: Invalid user hadoop from 70.35.196.91
Jan  4 10:46:54 raspberrypi sshd[3646]: Invalid user admin from 95.215.60.223
Jan  4 10:46:57 raspberrypi sshd[3654]: Invalid user test from 95.215.60.223
Jan  4 10:47:00 raspberrypi sshd[3658]: Invalid user guest from 95.215.60.223
Jan  4 10:47:02 raspberrypi sshd[3662]: Invalid user user from 95.215.60.223
Jan  4 10:47:05 raspberrypi sshd[3667]: Invalid user admin from 95.215.60.223
Jan  4 10:47:08 raspberrypi sshd[3671]: Invalid user admin from 95.215.60.223
Jan  4 11:28:28 raspberrypi sshd[4525]: Invalid user username from 70.35.196.91
Jan  4 11:32:48 raspberrypi sshd[4605]: Invalid user ubuntu from 46.105.137.2
Jan  4 11:43:17 raspberrypi sshd[4794]: Invalid user xbian from 193.248.133.13
Jan  4 13:09:55 raspberrypi sshd[6034]: Invalid user ubuntu from 46.105.137.2
Jan  4 13:14:49 raspberrypi sshd[6061]: Invalid user admin from 115.239.230.222
Jan  4 13:14:58 raspberrypi sshd[6070]: Invalid user admin from 115.239.230.222
Jan  4 14:09:44 raspberrypi sshd[6937]: Invalid user admin from 218.108.215.128

I checked the ip location with a site (don't know if I can trust results ?) and it's from USA and china. I think he is using a VPN.

What can I do ? I just switched off my machine but I'm looking for a better solution... Can I know who is it ? Can I file a claim ? Or even just stop him from trying to hack me ?

Thanks for your answers.

M. Ozn
  • 123
  • 5
  • 9
    Welcome to the internet. Every system which is accessible over internet seems connection attempts like this after a short time. Keep your system offline to avoid such connections. – deagh Jan 04 '17 at 14:04
  • Do you think it's better to enhance my protection by use random port instead of default port like 22 for ssh ? Is it really helpful ? – M. Ozn Jan 04 '17 at 14:08
  • 3
    No. Even a random port is accessible and therefore you will see such connections. If you feel unconfident with your security please keep the system offline. – deagh Jan 04 '17 at 14:10
  • I usually use a "`ban after repeated fails`" system. Sometimes developed with simple rules using a correlation system (i.e. `SEC - Simple Event Correlator`) on log files, sometimes using `fail2ban`, which is useful for this kind of problems. But as @deagh says, it's just Internet :) – Echoes_86 Jan 04 '17 at 14:13
  • 4
    I highly disagree with @deagh's second reply. Yes, you will still be accessible by anyone who cares to nmap you, but you cut out _a lot_ of the automated port-22 scanners by changing default ssh port. Disable password auth (use ssh keys), and change port, and you will be good enough. – Iskar Jan 04 '17 at 14:14
  • @Iskar changing default port is called "Security through obscurity" (see https://en.wikipedia.org/wiki/Security_through_obscurity). – deagh Jan 04 '17 at 14:16
  • 1
    I would change the port, but restrict with iptable who can connect to it, from where you connect there ? if from work, then just allow your work wan ip – yagmoth555 Jan 04 '17 at 14:20
  • 1
    I would install a system like "ban after a few try" and change defaults ip. But I can't allow just some ip because I usually connect from my phone and it doesn't have a static ip – M. Ozn Jan 04 '17 at 14:33
  • 1
    @deagh Changing the port will at least cut down on your log files. – ceejayoz Jan 04 '17 at 15:04
  • @deagh and what is the problem with that, especially considering with disabling password auth? They aren't running a top-100 site, they aren't going to be a real target for anything other than automated scanners. – Iskar Jan 04 '17 at 15:33
  • Possible duplicate of [How do I know if my Linux server has been hacked?](http://serverfault.com/questions/2783/how-do-i-know-if-my-linux-server-has-been-hacked) – Dennis Nolte Jan 09 '17 at 09:52

2 Answers2

5

First of all, don't panic. Check if any actual login has taken place.

If it has, panic.

If not, everything is still normal. There are many many machines out there trying to use common user/password combinations and security vulnerabilities on every machine they can find, in order to steal data or make the botnet bigger.

As such, login attempts in of itself are not really surprising, just something you have to deal with. So how can you actually make your machine more secure?

Follow hardening best-practices for your software

These vary by software. For SSH the most common things are:

  • disable root login
  • disable keyboard authentication

Every script will try to login with usernames like root, user, guest, backup, monitoring, nagios, icinga, veeam etc. There are lists of common names out there and the scripts just go through them all. A second of googling revealed this, for example. Use a username that is not on your list, like, for example, your actual name.

Using only SSH keys to login also makes brute forcing the password pretty much impossible.

Only expose necessary services to the internet

A service that is not reachable from the internet is not attackable from the internet. If you have a DB server on your machine but only need it internally, there is no reason to expose the port to the outside. If other machines need to reach it via internet, explicitly allow those IPs. In fact, you should drop all traffic by default and only open specifically needed ports, like 80 or 22.

See here for an iptables configuration example: Will using ACCEPT then DROP for a specific port/ip couple allow the ip but nothing else on that port?

Implement rate-limiting

Especially on services you can log into, you should install some form of rate-limiting. If a certain number of unsuccessful login attempts has taken place, that IP should be blocked. The most used software for linux to achieve this is probably fail2ban. It has presets for all kinds of software, and you can simply activate it and have some peace of mind.

Change default ports

This is usually not considered best practice, mostly because it needs to be communicated with the rest of the organization that for example SSH is now port 56298 instead of the well known 22. Open ports can also be detected with port scans. However, automated login attempts on port 22 happen more frequently then port scans. The most simple attack scripts will simply fail if you do this. It does not help against a dedicated attacker.

Community
  • 1
mzhaase
  • 3,798
  • 2
  • 20
  • 32
  • Thanks you very much for this list, I'll follow all of this step. But I don't really understand the ssh keys ? – M. Ozn Jan 04 '17 at 14:43
  • An SSH key is actually two keys, a so called *key-pair*. You generate them using ssh-keygen, and get a private and a public key. By installing the public key into a users .ssh directory, this user can now log in using his private key. These keys should be long, above 2048 bits, probaby even above 4096 bits, and as such are very difficult to crack and more secure than a password. Search for ssh key login and you will find many tutorials on how to do so. – mzhaase Jan 04 '17 at 14:45
  • Thanks I'll check out all of it this tonight because for the moment I switched off the server and I'm not at home – M. Ozn Jan 04 '17 at 14:49
-2

Seems like it is a harmless automated software. If IP doesn't change all time, you can use iptables or use IPS/IDS before your server. Also, you can use this trick for this type of scripts/softwares: change your default service ports. I don't think anything additional.

user393380
  • 1