Ataque ssh a mi server

jose2007 · 17 Nov 2007

Buenos días, hace un por de días instale un scrip para detectar intento de ataque por fuerza bruta...

The remote system 61.150.115.178 was found to have exceeded acceptable login failures on xxxxxxxxxc.com; there was 61 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 61.150.115.178 {bfd.sshd}

The following are event logs from 61.150.115.178 on service sshd (all time stamps are GMT -0800):

Nov 16 22:21:44 red sshd[3313]: Did not receive identification string from ::ffff:61.150.115.178
Nov 16 22:21:44 red sshd[3314]: Did not receive identification string from ::ffff:61.150.115.178
Nov 16 22:27:00 red sshd[3448]: Failed password for admin from ::ffff:61.150.115.178 port 60764 ssh2
Nov 16 22:27:01 red sshd[3449]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:06 red sshd[3454]: Failed password for root from ::ffff:61.150.115.178 port 60891 ssh2
Nov 16 22:27:06 red sshd[3455]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:09 red sshd[3457]: Invalid user stud from ::ffff:61.150.115.178
Nov 16 22:27:12 red sshd[3457]: Failed password for invalid user stud from ::ffff:61.150.115.178 port 61040 ssh2
Nov 16 22:27:12 red sshd[3458]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:15 red sshd[3460]: Invalid user trash from ::ffff:61.150.115.178
Nov 16 22:27:18 red sshd[3460]: Failed password for invalid user trash from ::ffff:61.150.115.178 port 61290 ssh2
Nov 16 22:27:18 red sshd[3461]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:19 red sshd[3462]: Failed password for admin from ::ffff:61.150.115.178 port 61331 ssh2
Nov 16 22:27:19 red sshd[3464]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:21 red sshd[3465]: Invalid user aaron from ::ffff:61.150.115.178
Nov 16 22:27:23 red sshd[3465]: Failed password for invalid user aaron from ::ffff:61.150.115.178 port 61442 ssh2
Nov 16 22:27:24 red sshd[3466]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:25 red sshd[3467]: Failed password for root from ::ffff:61.150.115.178 port 61487 ssh2
Nov 16 22:27:25 red sshd[3469]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:27 red sshd[3472]: Invalid user gt05 from ::ffff:61.150.115.178
Nov 16 22:27:28 red sshd[3474]: Invalid user stud from ::ffff:61.150.115.178
Nov 16 22:27:29 red sshd[3472]: Failed password for invalid user gt05 from ::ffff:61.150.115.178 port 61597 ssh2
Nov 16 22:27:29 red sshd[3473]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:30 red sshd[3474]: Failed password for invalid user stud from ::ffff:61.150.115.178 port 61636 ssh2
Nov 16 22:27:31 red sshd[3475]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:32 red sshd[3477]: Invalid user william from ::ffff:61.150.115.178
Nov 16 22:27:34 red sshd[3479]: Invalid user trash from ::ffff:61.150.115.178
Nov 16 22:27:35 red sshd[3477]: Failed password for invalid user william from ::ffff:61.150.115.178 port 61732 ssh2
Nov 16 22:27:35 red sshd[3478]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:36 red sshd[3479]: Failed password for invalid user trash from ::ffff:61.150.115.178 port 61777 ssh2
Nov 16 22:27:37 red sshd[3480]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:38 red sshd[3481]: Invalid user stephanie from ::ffff:61.150.115.178
Nov 16 22:27:40 red sshd[3483]: Invalid user aaron from ::ffff:61.150.115.178
Nov 16 22:27:41 red sshd[3481]: Failed password for invalid user stephanie from ::ffff:61.150.115.178 port 61867 ssh2
Nov 16 22:27:41 red sshd[3482]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:42 red sshd[3483]: Failed password for invalid user aaron from ::ffff:61.150.115.178 port 61909 ssh2
Nov 16 22:27:42 red sshd[3485]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:45 red sshd[3489]: Invalid user gt05 from ::ffff:61.150.115.178
Nov 16 22:27:46 red sshd[3487]: Failed password for root from ::ffff:61.150.115.178 port 62056 ssh2
Nov 16 22:27:47 red sshd[3488]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:48 red sshd[3489]: Failed password for invalid user gt05 from ::ffff:61.150.115.178 port 62125 ssh2
Nov 16 22:27:48 red sshd[3490]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:51 red sshd[3494]: Invalid user william from ::ffff:61.150.115.178
Nov 16 22:27:52 red sshd[3492]: Failed password for root from ::ffff:61.150.115.178 port 62234 ssh2
Nov 16 22:27:53 red sshd[3493]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:54 red sshd[3494]: Failed password for invalid user william from ::ffff:61.150.115.178 port 62279 ssh2
Nov 16 22:27:54 red sshd[3495]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:57 red sshd[3499]: Invalid user stephanie from ::ffff:61.150.115.178
Nov 16 22:27:58 red sshd[3496]: Failed password for root from ::ffff:61.150.115.178 port 62398 ssh2
Nov 16 22:27:58 red sshd[3497]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:27:59 red sshd[3499]: Failed password for invalid user stephanie from ::ffff:61.150.115.178 port 62435 ssh2
Nov 16 22:28:00 red sshd[3501]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:04 red sshd[3504]: Failed password for root from ::ffff:61.150.115.178 port 62520 ssh2
Nov 16 22:28:04 red sshd[3505]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:05 red sshd[3506]: Failed password for root from ::ffff:61.150.115.178 port 62566 ssh2
Nov 16 22:28:06 red sshd[3507]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:10 red sshd[3511]: Failed password for root from ::ffff:61.150.115.178 port 62655 ssh2
Nov 16 22:28:10 red sshd[3513]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:11 red sshd[3514]: Failed password for root from ::ffff:61.150.115.178 port 62704 ssh2
Nov 16 22:28:11 red sshd[3515]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:13 red sshd[3516]: Invalid user gary from ::ffff:61.150.115.178
Nov 16 22:28:15 red sshd[3516]: Failed password for invalid user gary from ::ffff:61.150.115.178 port 62829 ssh2
Nov 16 22:28:16 red sshd[3517]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:17 red sshd[3518]: Failed password for root from ::ffff:61.150.115.178 port 62943 ssh2
Nov 16 22:28:17 red sshd[3519]: Received disconnect from ::ffff:61.150.115.178: 11: Bye Bye
Nov 16 22:28:21 red sshd[3524]: Failed password for root from ::ffff:61.150.115.178 port 63049 ssh2

----
- Thank you;
Hacer clic para expandir...

[/QUOTE]

Creo que la ip es china...

Infor de la ip:

China Shanghai Chinanet Shanxi(sn) Province Network

inetnum: 61.150.0.0 - 61.150.127.255
netname: CHINANET-SN
descr: CHINANET Shanxi(SN) province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: XC9-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-SHAANXI
status: ASSIGNED NON-PORTABLE
changed: Whois Privacy and Spam Prevention by DomainTools.com 20000701
changed: Whois Privacy and Spam Prevention by DomainTools.com 20040927
source: APNIC
person: Xianghong Cao
address: Shanxi provice data communication Bureau
address: 185# zhuque Road
address: Xi'an city, Shanxi provice 710061
address: CN
phone: +8629-523-3633
fax-no: +8629-522-8093
e-mail: Whois Privacy and Spam Prevention by DomainTools.com
nic-hdl: XC9-AP
mnt-by: MAINT-NULL
changed: Whois Privacy and Spam Prevention by DomainTools.com 19990409
source: APNIC
Hacer clic para expandir...

Como puedo saber si a conseguido entrar?

Saludos

Anunciante

ideasmultiples · 17 Nov 2007

Si lo ha baneado APF no creo que lo haya hecho...

Si te preocupas por que has tenido UN ataque de esos te va a dar un ataque al corazón cuando tu servidor lleve tiempo en línea

jose2007 · 17 Nov 2007

Hola ideasmultiples gracias por tu respuesta, yo creo que contra mas tiempo lleve el Server on-line mas ataque de estos tendré, lo quería sabe si el ssh tiene algún registro Log para saber si realmente consiguió acceder al Server o no...

Gracias por tu tiempo

ideasmultiples · 17 Nov 2007

Es el que está posteando tu:
Nov 16 22:28:21 red sshd[3524]: Failed password for root from ::ffff:61.150.115.178 port 63049 ssh2

jose2007 · 17 Nov 2007

Ok, gracias

Un saludo

WebTech · 17 Nov 2007

Hola José,

No hay nada grave en lo que te ha sucedido, es lo más normal del mundo como recibirlos, como comentaba ideasmultiples, no te preocupes tanto pues la IP ya está baneada.

Una buena medida que puedes tomar para optimizar un poco el servicio SSH a nivel seguridad es usar un puerto diferente al 22, superior al 1024 y menor que el 65535, también usar el protocolo 2 en vez del 1, esos son dos puntos claves para evitar ataques de este tipo, al usar el protocolo 2 ya estás mucho más seguro.

Protecciones a nivel de TCP Wrappers también son necesarias, y ayudan aún más al hardening del sistema.

Saludos,

jose2007 · 17 Nov 2007

gracias webtech buscare info por google aver como ago eso... Saludos

kokev21 · 17 Nov 2007

para cambiar el puerto debes hacerlo en el archivo de configuracion de ssh en tu server... sshd_config ahi en un lugar sale port=... por defecto sale el 22, pero lo cambias sin problemas... y para que funcione con la version 2 debes fijarte en donde dice protocol= (aqui debe decir 2)

entonces para conectarte desde linux
ssh -p nºdepuerto usuario@ip

desde un cliente de windows, solo le cambias el puerto

saludos....

JORGE

WebTech · 17 Nov 2007

Ojo con la sintaxis que usas, donde le erres solo en un caracter y reinicies el SSH te puedes quedar sin ingreso a tu server al fallar el demonio:

Debe quedar así:
CODE, HTML o PHP Insertado:
Port [B]33224[/B] 
Protocol [B]2[/B]
- ejemplo con puerto 33224, tu puedes asignar el puerto que quieras --

Igual, antes de hacer los cambios si quieres presenta el archivo aquí, y te diremos si está bien de la forma en que aquí lo he presentado, debería funcionar sin problemas en RedHat y derivados.

Luego de hechos los cambios, debes reiniciar el demonio del ssh:
CODE, HTML o PHP Insertado:
/etc/init.d/sshd restart
Saludos,

PD: recuerda abrir el nuevo puerto del SSH antes de realizar los cambios en tu firewall, sino perderás acceso también.

jose2007 · 18 Nov 2007

Gracias a los dos por la ayuda ahora lo probare y posteare resultados...

Saludos

Accede o regístrate

Ataque ssh a mi server

jose2007 Usuario activo

Anunciante

ideasmultiples Usuario activo

jose2007 Usuario activo

ideasmultiples Usuario activo

jose2007 Usuario activo

WebTech Súper Moderador Miembro del Staff Moderador CH

jose2007 Usuario activo

kokev21 Usuario activo

WebTech Súper Moderador Miembro del Staff Moderador CH

jose2007 Usuario activo

Accede o regístrate

Ataque ssh a mi server

jose2007 Usuario activo

Anunciante

ideasmultiples Usuario activo

jose2007 Usuario activo

ideasmultiples Usuario activo

jose2007 Usuario activo

WebTech Súper Moderador Miembro del Staff Moderador CH

jose2007 Usuario activo

kokev21 Usuario activo

WebTech Súper Moderador Miembro del Staff Moderador CH

jose2007 Usuario activo

Búsquedas útiles