Anyone getting alot of brute force attacks against their server?

[Vatoloco]

Almost everyday I'll have something like what is below in my log files. It's never coming from the same IP, but the types of names it tries to login with are always similar.

I'm thinking maybe it's a trojan that these machines are infected with? Just wondering if anyone else is experiencing it or if someone is coming after me specifically.


Failed logins from these:
account/password from 67.18.220.130: 1 Time(s)
adam/password from 67.18.220.130: 1 Time(s)
adm/password from 67.18.220.130: 2 Time(s)
alan/password from 67.18.220.130: 1 Time(s)
apache/password from 67.18.220.130: 1 Time(s)
backup/password from 67.18.220.130: 1 Time(s)
cip51/password from 67.18.220.130: 1 Time(s)
cip52/password from 67.18.220.130: 1 Time(s)
cosmin/password from 67.18.220.130: 1 Time(s)
cyrus/password from 67.18.220.130: 1 Time(s)
data/password from 67.18.220.130: 1 Time(s)
frank/password from 67.18.220.130: 1 Time(s)
george/password from 67.18.220.130: 1 Time(s)
henry/password from 67.18.220.130: 1 Time(s)
horde/password from 67.18.220.130: 1 Time(s)
iceuser/password from 67.18.220.130: 1 Time(s)
irc/password from 67.18.220.130: 2 Time(s)
jane/password from 67.18.220.130: 1 Time(s)
john/password from 67.18.220.130: 1 Time(s)
master/password from 67.18.220.130: 1 Time(s)
matt/password from 67.18.220.130: 1 Time(s)
mysql/password from 67.18.220.130: 1 Time(s)
nobody/password from 67.18.220.130: 1 Time(s)
noc/password from 67.18.220.130: 1 Time(s)
operator/password from 67.18.220.130: 1 Time(s)
oracle/password from 67.18.220.130: 1 Time(s)
pamela/password from 67.18.220.130: 1 Time(s)
patrick/password from 67.18.220.130: 2 Time(s)
rolo/password from 67.18.220.130: 1 Time(s)
root/password from 67.18.220.130: 59 Time(s)
server/password from 67.18.220.130: 1 Time(s)
sybase/password from 67.18.220.130: 1 Time(s)
test/password from 67.18.220.130: 5 Time(s)
user/password from 67.18.220.130: 3 Time(s)
web/password from 67.18.220.130: 2 Time(s)
webmaster/password from 67.18.220.130: 1 Time(s)
www-data/password from 67.18.220.130: 1 Time(s)
www/password from 67.18.220.130: 1 Time(s)
wwwrun/password from 67.18.220.130: 1 Time(s)

[jdonoso]

Hi,

This is no a sign that your server is infected, but probably theirs. It can also be a hacker doing force brute attacks in order to gain access to your box. I would recommend you to install APF (http://www.rfxnetworks.com/apf.php) in conjunction with BSD (http://www.rfxnetworks.com/bsd.php) to protect yourself against them.

Do a search in this forum, since there are several threads regarding this subject.

Best regards,

[Webbie05]

Hey there, i was getting alot of those so all i did was changing my ssh port to something else and since then i had no probs, altho all they need to do is an port scan to get that new port mind you.

[nerdzoll]

Hey, one thing that I have done and stopped every single one of those attacks is set aside 2 or 3 IPs that you will never use for anything else.
Assign one to SSH (even on the standard port 22) and only run ssh on that IP, I have not had a single brute force on ssh since I did it...
Oh and if you desire every so often you can rotate the IP of SSH.

Works wonders

[philb]

Just wondering if anyone else is experiencing it or if someone is coming after me specifically.

It's just a worm that spreads via weak accounts over ssh - pretty much anyone running anything connected to the net will get hit by this at least every once in a while. I see two to three unique sources a day.

[Alexandre Duran]

See this (it is a great how-to) : http://forums.cpanel.net/showthread....hlight=APF+BFD

[brentp]

I used to get around 15 emails from APF per day from bruteforce attacks on the old box.

Regards,
Brent

[Vatoloco]

Thanks for all the suggestions. I setup an IP just for SSH and changed the port and, so far, no more entries like that in the logs!

[ntwaddel]

I've been getting tons!

[fusioncroc]

i used to get 4 - 5 emails for 2 days before i changed the port and ip

[philb]

Changing port will be more than enough on its own, there's no need to use an ip just for ssh.

[dezignguy]

Changing port will be more than enough on its own, there's no need to use an ip just for ssh.

I think he meant that he setup ssh to listen on only one ip, instead of sshd listening on all the ips on the server (which is default). That makes sense if you're going to be the one using it... then you really only need it listening on the one ip that you'll use. And, while I expect you know this - I wanted to clarify your wording, it doesn't 'use' an ip... meaning he can't use the ip for anything else.

[philb]

I think he meant that he setup ssh to listen on only one ip, instead of sshd listening on all the ips on the server (which is default).

Well sure, if you want to. Changing the port would still suffice as <0.1% of the bruteforces people will see at the moment are actually done by a human who checked what port it was on first.

I wanted to clarify your wording, it doesn't 'use' an ip... meaning he can't use the ip for anything else.

Nono, I'm quite aware of that - I was responding to:

...I setup an IP just for SSH and changed the port and...

[dezignguy]

Well sure, if you want to. Changing the port would still suffice as <0.1% of the bruteforces people will see at the moment are actually done by a human who checked what port it was on first.

It's just part of reducing the number of ports open on your ips... simplicity helps keeps things easy for monitoring and understanding too.

But IMHO, it's best to simply deny all access to ssh to anyone except myself... using hosts.deny/hosts.allow in conjunction with my firewall. Not for everybody of course, but if done right, practically 0.0% of anyone, bruteforce or otherwise, being able to connect to the port to try anything.