Anyone getting alot of brute force attacks against their server?

Vatoloco

Well-Known Member
Jun 21, 2004
99
0
166
Almost everyday I'll have something like what is below in my log files. It's never coming from the same IP, but the types of names it tries to login with are always similar.

I'm thinking maybe it's a trojan that these machines are infected with? Just wondering if anyone else is experiencing it or if someone is coming after me specifically.


Failed logins from these:
account/password from 67.18.220.130: 1 Time(s)
adam/password from 67.18.220.130: 1 Time(s)
adm/password from 67.18.220.130: 2 Time(s)
alan/password from 67.18.220.130: 1 Time(s)
apache/password from 67.18.220.130: 1 Time(s)
backup/password from 67.18.220.130: 1 Time(s)
cip51/password from 67.18.220.130: 1 Time(s)
cip52/password from 67.18.220.130: 1 Time(s)
cosmin/password from 67.18.220.130: 1 Time(s)
cyrus/password from 67.18.220.130: 1 Time(s)
data/password from 67.18.220.130: 1 Time(s)
frank/password from 67.18.220.130: 1 Time(s)
george/password from 67.18.220.130: 1 Time(s)
henry/password from 67.18.220.130: 1 Time(s)
horde/password from 67.18.220.130: 1 Time(s)
iceuser/password from 67.18.220.130: 1 Time(s)
irc/password from 67.18.220.130: 2 Time(s)
jane/password from 67.18.220.130: 1 Time(s)
john/password from 67.18.220.130: 1 Time(s)
master/password from 67.18.220.130: 1 Time(s)
matt/password from 67.18.220.130: 1 Time(s)
mysql/password from 67.18.220.130: 1 Time(s)
nobody/password from 67.18.220.130: 1 Time(s)
noc/password from 67.18.220.130: 1 Time(s)
operator/password from 67.18.220.130: 1 Time(s)
oracle/password from 67.18.220.130: 1 Time(s)
pamela/password from 67.18.220.130: 1 Time(s)
patrick/password from 67.18.220.130: 2 Time(s)
rolo/password from 67.18.220.130: 1 Time(s)
root/password from 67.18.220.130: 59 Time(s)
server/password from 67.18.220.130: 1 Time(s)
sybase/password from 67.18.220.130: 1 Time(s)
test/password from 67.18.220.130: 5 Time(s)
user/password from 67.18.220.130: 3 Time(s)
web/password from 67.18.220.130: 2 Time(s)
webmaster/password from 67.18.220.130: 1 Time(s)
www-data/password from 67.18.220.130: 1 Time(s)
www/password from 67.18.220.130: 1 Time(s)
wwwrun/password from 67.18.220.130: 1 Time(s)
 

jdonoso

Well-Known Member
Nov 15, 2004
61
0
156
The Third Rock from The Sun!
Hi,

This is no a sign that your server is infected, but probably theirs. It can also be a hacker doing force brute attacks in order to gain access to your box. I would recommend you to install APF (http://www.rfxnetworks.com/apf.php) in conjunction with BSD (http://www.rfxnetworks.com/bsd.php) to protect yourself against them.

Do a search in this forum, since there are several threads regarding this subject.

Best regards,
 

Webbie05

Member
Dec 16, 2004
9
0
151
Hey there, i was getting alot of those so all i did was changing my ssh port to something else and since then i had no probs, altho all they need to do is an port scan to get that new port mind you.
 

nerdzoll

Well-Known Member
Oct 4, 2004
106
0
166
just another thought

Hey, one thing that I have done and stopped every single one of those attacks is set aside 2 or 3 IPs that you will never use for anything else.
Assign one to SSH (even on the standard port 22) and only run ssh on that IP, I have not had a single brute force on ssh since I did it...
Oh and if you desire every so often you can rotate the IP of SSH.

Works wonders
 

philb

Well-Known Member
Jan 28, 2004
118
4
168
Vatoloco said:
Just wondering if anyone else is experiencing it or if someone is coming after me specifically.
It's just a worm that spreads via weak accounts over ssh - pretty much anyone running anything connected to the net will get hit by this at least every once in a while. I see two to three unique sources a day.
 

Vatoloco

Well-Known Member
Jun 21, 2004
99
0
166
Thanks for all the suggestions. I setup an IP just for SSH and changed the port and, so far, no more entries like that in the logs! :)
 

philb

Well-Known Member
Jan 28, 2004
118
4
168
Changing port will be more than enough on its own, there's no need to use an ip just for ssh.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
philb said:
Changing port will be more than enough on its own, there's no need to use an ip just for ssh.
I think he meant that he setup ssh to listen on only one ip, instead of sshd listening on all the ips on the server (which is default). That makes sense if you're going to be the one using it... then you really only need it listening on the one ip that you'll use. And, while I expect you know this - I wanted to clarify your wording, it doesn't 'use' an ip... meaning he can't use the ip for anything else.
 

philb

Well-Known Member
Jan 28, 2004
118
4
168
dezignguy said:
I think he meant that he setup ssh to listen on only one ip, instead of sshd listening on all the ips on the server (which is default).
Well sure, if you want to. Changing the port would still suffice as <0.1% of the bruteforces people will see at the moment are actually done by a human who checked what port it was on first.

dezignguy said:
I wanted to clarify your wording, it doesn't 'use' an ip... meaning he can't use the ip for anything else.
Nono, I'm quite aware of that - I was responding to:

vatoloco said:
...I setup an IP just for SSH and changed the port and...
;)
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
philb said:
Well sure, if you want to. Changing the port would still suffice as <0.1% of the bruteforces people will see at the moment are actually done by a human who checked what port it was on first.
It's just part of reducing the number of ports open on your ips... simplicity helps keeps things easy for monitoring and understanding too.

But IMHO, it's best to simply deny all access to ssh to anyone except myself... using hosts.deny/hosts.allow in conjunction with my firewall. Not for everybody of course, but if done right, practically 0.0% of anyone, bruteforce or otherwise, being able to connect to the port to try anything.