audigy

Member
Feb 29, 2004
13
0
151
Hey hopefully someone here can help me..


How do I stop this?

sshd:
Invalid Users:
Unknown Account: 10 Time(s)
Authentication Failures:
root (lcg00131.grid.sinica.edu.tw ): 555 Time(s)
unknown (lcg00131.grid.sinica.edu.tw ): 9 Time(s)
unknown (211.234.112.140 ): 1 Time(s)


I have not tried to login to the server ALL day with SSh and ALL of the useraccounts do not have SSH enabled so thsi is obviously a hacker trying to get in.
 

nerdzoll

Well-Known Member
Oct 4, 2004
105
0
166
A couple of things

Firstly I would install APF and BFD (www.rfxnetworks.com) this will give you a good firewall and brute force attack stopper.
Also I would run SSH on a non standard port (and also preferably on an IP with no web addresses attached).
Finally I would dissalow the root user to log into SSH directly and create a new user that can be added to the "wheel" of users that can su- into root.

If you do a search on these forums you can get the details of how to do most of that... but at minnimum APF and BFD are a good start

EDIT: see http://forums.cpanel.net/showthread.php?t=14443&highlight=secure+server
 
Last edited:

audigy

Member
Feb 29, 2004
13
0
151
Thanks, The root user cant login to SSh directly I have added a "regular" user to the wheel group but it was just staring to get me worried I will try the firewalls and see if that slows it down any.

Again Thanks
 

Finley Ave

Active Member
Feb 28, 2004
37
0
156
San Ramon, CA
This was probably an automated attack from an infected box. BFD is overrated for this kind of attack. The infected box will just try dumb passwords and move on to another victim. As soon as you block that box from making dumb attempts on you, some other box will come around the next day. Your best defense against this kind of attack is non standard ssh port and to have passwords better than something like 'test'. If your password is "4dGwR22Y", a brute force attack is going to take a little more than 555 attempts.
 

Norman

Well-Known Member
Sep 20, 2004
88
0
156
This actually happens ALOT.

It's probes and attacks from script kiddies trying to break in.. most of the time they start on a IP block and workt hier way through.

If you haven't installed apf/bfd I would do so.

If you need help, let us know we can always help, but there is alot of info on these boards on how to install it.

There is one server I admin that get BFD (Brute Force Detection) emails 4 - 5 times a day..