OVH Community, your new community space.

Mein Server wird gebruttet


TF_SChw@rZl!cht
28.05.13, 08:24
meine SSH Ports liegen auch seit Jahren im 60k+ Bereich und habe bis jetzt nur meine eigenen Logins verzeichnen können.

whyte
28.05.13, 07:59
Das mit dem fail2ban kann ich nicht bestätigen, ich meine, dass es benötigt ist (Pflicht)
Ich habe den SSH Port geändert und bei mir ist totale Ruhe ...
Allerdings habe ich den Port auch jehnseits von 60000 geändert ...

encounter
27.05.13, 12:38
Zitat Zitat von pyrolord
Ich hab täglich bis zu 3000 solcher Loginversuche trotz verzicht auf Standardports. Eine zeitlang hab ich mir die Mühe gemacht die IPs zu sperren und in extrem Fällen abuse mails zu verschicken, aber das hab ich schon lange aufgegeben. Nutzt einfach nix, weil 2 Tage später ne neue IP das selbe versucht. Solange die Angriffe immer nach dem selben Schema ablaufen, sprich simple Wörterbuch Attacken mit immer den selben Standard Benutzernamen (Admin, DB2Admin,...) juckt mich das absolut nicht, denn solche Standardaccounts sind bei mir ohnehin nicht existent bzw. längst umbenannt. Solange diese Loginversuche sich nicht negativ auf die Performance / Erreichbarkeit auswirken oder wirklich sehr spezifisch sind (z.B. gültiger Benutzername) würde ich sie einfach ignorieren.
Ja, leider ist das mittlerweile als normal zu bezeichnen, und ohne fail2ban würde ich keinen Server auf die Welt loslassen
Ob Standard Port oder nicht, spielt eigentlich keine Rolle. SSH nur auf eine IP zulassen und alles andere sperren.
Sollte man wirklich mal von woanders SSH brauchen, hat man eben andere Remote Zugänge auf den Rechner, der für SSH erlaubt ist.
Gleiches gilt für FTP und schon ist die Welt halbwegs in Ordnung.

Bei Emailserver halt zusätzlich die eine oder andere Blacklist mit aufnehmen,Spamhaus macht z.B. einen guten Job, und Claimav installieren, und natürlich regelmässig alle Logs lesen(und verstehen), viel mehr kann man kaum tun.

Bei obigem Log greift fail2ban gar nicht oder viel zu spät.
Die wenigsten erstellen brauchbare Regex Einträge, die auch wirklich Schutz bieten.
Alle Passwort Fails laufen hier nach dem ersten Versuch in eine 5wöchige Sperre.
Sollte ich mich selbst mal vertun ist das kein Beinbruch, da meine IP auf der Ausnahmeliste steht

saber2003
07.05.13, 19:47
Sorry das ist so gut wie nix! Den paar Einträgen würde einfach ignorieren. Wenn dich die paar Einträge nerven ändere den SSH Port dann wirste erstmal wieder ruhe haben. Und wichtig!!! Sicheres Passwort nutzen, wie schon fx123 geschrieben hat.

skneo
07.05.13, 12:35
Normales Grundrauschen, wobei eigentlich noch viel zu wenig was sonst so normal ist, sieht man auch immer gut an den Logs, Mann braucht eigentlich nur auf die vorhandene Größe schauen ist die mal viel höher als durchschnitt schaut man mal rein.

fx123
06.05.13, 16:41
Das sind ein paar Versuche innerhalb von fast 24 Stunden... das ist nichts! Komm wieder wenn es ein paar Millionen in kurzer Zeit sind

Mila432
06.05.13, 09:10
Danke noch mal ! Ich habe da auch nichts gegen wenn bots mich durchsuchen , aber da die IP von OVH kommt, mache ich mir schon sorgen .
Das mit den Abuse musste ich auch schon feststellen .

Ist das denn auch normal :
Lines containing IP:42.121.129.68 in /var/log/auth.log

May 5 11:12:47 ks3292205 sshd[6187]: Did not receive identification string from 42.121.129.68
May 5 11:35:59 ks3292205 sshd[7375]: Invalid user 123321 from 42.121.129.68
May 5 11:35:59 ks3292205 sshd[7375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68
May 5 11:36:01 ks3292205 sshd[7375]: Failed password for invalid user 123321 from 42.121.129.68 port 38127 ssh2
May 5 11:55:34 ks3292205 sshd[8448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 11:55:36 ks3292205 sshd[8448]: Failed password for root from 42.121.129.68 port 57902 ssh2
May 5 12:15:40 ks3292205 sshd[9760]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 12:15:42 ks3292205 sshd[9760]: Failed password for root from 42.121.129.68 port 57082 ssh2
May 5 12:15:42 ks3292205 sshd[9760]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 12:35:38 ks3292205 sshd[10816]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 12:35:40 ks3292205 sshd[10816]: Failed password for root from 42.121.129.68 port 56789 ssh2
May 5 12:35:40 ks3292205 sshd[10816]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 12:55:28 ks3292205 sshd[11885]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 12:55:30 ks3292205 sshd[11885]: Failed password for root from 42.121.129.68 port 36324 ssh2
May 5 13:14:41 ks3292205 sshd[13139]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 13:14:43 ks3292205 sshd[13139]: Failed password for root from 42.121.129.68 port 47602 ssh2
May 5 13:14:43 ks3292205 sshd[13139]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 13:34:22 ks3292205 sshd[14364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 13:34:24 ks3292205 sshd[14364]: Failed password for root from 42.121.129.68 port 50477 ssh2
May 5 13:34:24 ks3292205 sshd[14364]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 13:54:37 ks3292205 sshd[15469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 13:54:39 ks3292205 sshd[15469]: Failed password for root from 42.121.129.68 port 58724 ssh2
May 5 13:54:39 ks3292205 sshd[15469]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 14:15:27 ks3292205 sshd[16848]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 14:15:28 ks3292205 sshd[16848]: Failed password for root from 42.121.129.68 port 37570 ssh2
May 5 14:55:31 ks3292205 sshd[18972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 14:55:33 ks3292205 sshd[18972]: Failed password for root from 42.121.129.68 port 39713 ssh2
May 5 14:55:33 ks3292205 sshd[18972]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 15:12:44 ks3292205 sshd[20121]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 15:12:46 ks3292205 sshd[20121]: Failed password for root from 42.121.129.68 port 46879 ssh2
May 5 16:38:48 ks3292205 sshd[25100]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 16:38:50 ks3292205 sshd[25100]: Failed password for root from 42.121.129.68 port 60162 ssh2
May 5 16:38:50 ks3292205 sshd[25100]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 18:02:34 ks3292205 sshd[30092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 18:02:37 ks3292205 sshd[30092]: Failed password for root from 42.121.129.68 port 46682 ssh2
May 5 18:24:24 ks3292205 sshd[31784]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 18:24:25 ks3292205 sshd[31784]: Failed password for root from 42.121.129.68 port 47047 ssh2
May 5 18:46:27 ks3292205 sshd[749]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 18:46:30 ks3292205 sshd[749]: Failed password for root from 42.121.129.68 port 46465 ssh2
May 5 19:04:43 ks3292205 sshd[1963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 19:04:45 ks3292205 sshd[1963]: Failed password for root from 42.121.129.68 port 57954 ssh2
May 5 19:35:22 ks3292205 sshd[3708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 19:35:24 ks3292205 sshd[3708]: Failed password for root from 42.121.129.68 port 33828 ssh2
May 5 19:35:24 ks3292205 sshd[3708]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 19:50:02 ks3292205 sshd[4545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 19:50:04 ks3292205 sshd[4545]: Failed password for root from 42.121.129.68 port 36936 ssh2
May 5 20:04:44 ks3292205 sshd[5607]: Connection closed by 42.121.129.68 [preauth]
May 5 20:18:45 ks3292205 sshd[6420]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 20:18:47 ks3292205 sshd[6420]: Failed password for root from 42.121.129.68 port 58756 ssh2
May 5 20:32:50 ks3292205 sshd[7170]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 20:32:52 ks3292205 sshd[7170]: Failed password for root from 42.121.129.68 port 35343 ssh2
May 5 20:46:39 ks3292205 sshd[7931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 20:46:41 ks3292205 sshd[7931]: Failed password for root from 42.121.129.68 port 33858 ssh2
May 5 20:46:41 ks3292205 sshd[7931]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 21:01:09 ks3292205 sshd[8801]: Connection closed by 42.121.129.68 [preauth]
May 5 21:15:05 ks3292205 sshd[9711]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 21:15:07 ks3292205 sshd[9711]: Failed password for root from 42.121.129.68 port 36837 ssh2
May 5 21:29:27 ks3292205 sshd[10504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 21:29:30 ks3292205 sshd[10504]: Failed password for root from 42.121.129.68 port 39438 ssh2
May 5 21:43:53 ks3292205 sshd[11268]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 21:43:56 ks3292205 sshd[11268]: Failed password for root from 42.121.129.68 port 53365 ssh2
May 5 21:43:56 ks3292205 sshd[11268]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 21:58:06 ks3292205 sshd[12022]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 21:58:08 ks3292205 sshd[12022]: Failed password for root from 42.121.129.68 port 46974 ssh2
May 5 21:58:08 ks3292205 sshd[12022]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 22:12:35 ks3292205 sshd[13024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 22:12:38 ks3292205 sshd[13024]: Failed password for root from 42.121.129.68 port 59138 ssh2
May 5 22:12:38 ks3292205 sshd[13024]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 22:26:56 ks3292205 sshd[13992]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 22:26:58 ks3292205 sshd[13992]: Failed password for root from 42.121.129.68 port 36414 ssh2
May 5 22:26:59 ks3292205 sshd[13992]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 22:40:49 ks3292205 sshd[14821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 22:40:51 ks3292205 sshd[14821]: Failed password for root from 42.121.129.68 port 52442 ssh2
May 5 22:40:51 ks3292205 sshd[14821]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 5 22:55:11 ks3292205 sshd[15674]: Connection closed by 42.121.129.68 [preauth]
May 5 23:08:36 ks3292205 sshd[16578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 23:08:38 ks3292205 sshd[16578]: Failed password for root from 42.121.129.68 port 42356 ssh2
May 5 23:22:21 ks3292205 sshd[17343]: Connection closed by 42.121.129.68 [preauth]
May 5 23:36:15 ks3292205 sshd[18086]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 23:36:17 ks3292205 sshd[18086]: Failed password for root from 42.121.129.68 port 59831 ssh2
May 5 23:50:31 ks3292205 sshd[18813]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 5 23:50:32 ks3292205 sshd[18813]: Failed password for root from 42.121.129.68 port 52249 ssh2
May 5 23:50:32 ks3292205 sshd[18813]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 00:04:45 ks3292205 sshd[19784]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 00:04:48 ks3292205 sshd[19784]: Failed password for root from 42.121.129.68 port 52666 ssh2
May 6 00:04:48 ks3292205 sshd[19784]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 00:18:19 ks3292205 sshd[20617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 00:18:20 ks3292205 sshd[20617]: Failed password for root from 42.121.129.68 port 45511 ssh2
May 6 00:18:20 ks3292205 sshd[20617]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 00:31:53 ks3292205 sshd[21301]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 00:31:55 ks3292205 sshd[21301]: Failed password for root from 42.121.129.68 port 40726 ssh2
May 6 00:45:22 ks3292205 sshd[22062]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 00:45:24 ks3292205 sshd[22062]: Failed password for root from 42.121.129.68 port 53908 ssh2
May 6 00:59:04 ks3292205 sshd[22803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 00:59:06 ks3292205 sshd[22803]: Failed password for root from 42.121.129.68 port 59700 ssh2
May 6 00:59:06 ks3292205 sshd[22803]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 01:13:03 ks3292205 sshd[23778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 01:13:05 ks3292205 sshd[23778]: Failed password for root from 42.121.129.68 port 52880 ssh2
May 6 01:13:06 ks3292205 sshd[23778]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 01:27:08 ks3292205 sshd[24574]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 01:27:09 ks3292205 sshd[24574]: Failed password for root from 42.121.129.68 port 45548 ssh2
May 6 01:27:10 ks3292205 sshd[24574]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 01:40:53 ks3292205 sshd[25304]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 01:40:55 ks3292205 sshd[25304]: Failed password for root from 42.121.129.68 port 34361 ssh2
May 6 01:40:55 ks3292205 sshd[25304]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 01:55:11 ks3292205 sshd[26111]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 01:55:13 ks3292205 sshd[26111]: Failed password for root from 42.121.129.68 port 53090 ssh2
May 6 01:55:13 ks3292205 sshd[26111]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 02:23:37 ks3292205 sshd[27887]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 02:23:39 ks3292205 sshd[27887]: Failed password for root from 42.121.129.68 port 58618 ssh2
May 6 02:23:39 ks3292205 sshd[27887]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 02:37:38 ks3292205 sshd[28675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 02:37:40 ks3292205 sshd[28675]: Failed password for root from 42.121.129.68 port 47802 ssh2
May 6 02:37:40 ks3292205 sshd[28675]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 02:51:14 ks3292205 sshd[29459]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 02:51:16 ks3292205 sshd[29459]: Failed password for root from 42.121.129.68 port 32799 ssh2
May 6 02:51:17 ks3292205 sshd[29459]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 03:05:01 ks3292205 sshd[30333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 03:05:02 ks3292205 sshd[30333]: Failed password for root from 42.121.129.68 port 58182 ssh2
May 6 03:05:03 ks3292205 sshd[30333]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 03:20:37 ks3292205 sshd[31240]: Connection closed by 42.121.129.68 [preauth]
May 6 03:37:22 ks3292205 sshd[32133]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 03:37:25 ks3292205 sshd[32133]: Failed password for root from 42.121.129.68 port 34660 ssh2
May 6 03:37:25 ks3292205 sshd[32133]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 03:55:03 ks3292205 sshd[834]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 03:55:05 ks3292205 sshd[834]: Failed password for root from 42.121.129.68 port 54965 ssh2
May 6 03:55:05 ks3292205 sshd[834]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 04:13:07 ks3292205 sshd[2077]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 04:13:09 ks3292205 sshd[2077]: Failed password for root from 42.121.129.68 port 34749 ssh2
May 6 04:13:09 ks3292205 sshd[2077]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 04:31:33 ks3292205 sshd[3003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 04:31:35 ks3292205 sshd[3003]: Failed password for root from 42.121.129.68 port 40335 ssh2
May 6 04:31:36 ks3292205 sshd[3003]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 04:48:43 ks3292205 sshd[3994]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 04:48:46 ks3292205 sshd[3994]: Failed password for root from 42.121.129.68 port 45936 ssh2
May 6 04:48:46 ks3292205 sshd[3994]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 05:06:43 ks3292205 sshd[5255]: Invalid user roottest from 42.121.129.68
May 6 05:06:43 ks3292205 sshd[5255]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68
May 6 05:06:45 ks3292205 sshd[5255]: Failed password for invalid user roottest from 42.121.129.68 port 59253 ssh2
May 6 05:24:38 ks3292205 sshd[6244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 05:24:40 ks3292205 sshd[6244]: Failed password for root from 42.121.129.68 port 54718 ssh2
May 6 05:43:01 ks3292205 sshd[7177]: Connection closed by 42.121.129.68 [preauth]
May 6 06:00:49 ks3292205 sshd[8151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 06:00:52 ks3292205 sshd[8151]: Failed password for root from 42.121.129.68 port 44308 ssh2
May 6 06:00:52 ks3292205 sshd[8151]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 06:19:19 ks3292205 sshd[9338]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 06:19:21 ks3292205 sshd[9338]: Failed password for root from 42.121.129.68 port 36556 ssh2
May 6 06:39:17 ks3292205 sshd[10876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 06:39:18 ks3292205 sshd[10876]: Failed password for root from 42.121.129.68 port 54216 ssh2
May 6 06:39:19 ks3292205 sshd[10876]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 06:57:36 ks3292205 sshd[11861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 06:57:38 ks3292205 sshd[11861]: Failed password for root from 42.121.129.68 port 56339 ssh2
May 6 06:57:38 ks3292205 sshd[11861]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 07:15:59 ks3292205 sshd[13039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 07:16:01 ks3292205 sshd[13039]: Failed password for root from 42.121.129.68 port 49995 ssh2
May 6 07:35:22 ks3292205 sshd[14096]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 07:35:24 ks3292205 sshd[14096]: Failed password for root from 42.121.129.68 port 52901 ssh2
May 6 07:35:24 ks3292205 sshd[14096]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]
May 6 07:54:36 ks3292205 sshd[15110]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 07:54:39 ks3292205 sshd[15110]: Failed password for root from 42.121.129.68 port 38770 ssh2
May 6 08:14:08 ks3292205 sshd[16464]: Connection closed by 42.121.129.68 [preauth]
May 6 08:32:57 ks3292205 sshd[17402]: Connection closed by 42.121.129.68 [preauth]
May 6 08:52:11 ks3292205 sshd[18444]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.121.129.68 user=root
May 6 08:52:13 ks3292205 sshd[18444]: Failed password for root from 42.121.129.68 port 58171 ssh2
May 6 08:52:14 ks3292205 sshd[18444]: Received disconnect from 42.121.129.68: 11: Bye Bye [preauth]


Regards,

Fail2Ban

fx123
06.05.13, 00:57
Das ist - wie bereits gesagt - ganz normales Hintergrundrauschen. Sieht man schon an den verwendeten Usern (0, teamspeak3, postgres, clouduser, sakura, root...). Alles Standard-User, die auf vielen System vorhanden sind und völlig automatisch von Bots angetestet werden.

Wir haben täglich tausende solcher Einträge in den Logs. Sichere Passwörter verwenden (und ggf. den SSH-Port ändern) und man hat keine Probleme. Hier per Hand einzelne IPs zu sperren ist völlig übertrieben.

EvilMoe
05.05.13, 08:59
Was man sich anschauen könnte, wenn wir schon beim Thema sind: fail2ban.

pyrolord
05.05.13, 08:51
Ich hab täglich bis zu 3000 solcher Loginversuche trotz verzicht auf Standardports. Eine zeitlang hab ich mir die Mühe gemacht die IPs zu sperren und in extrem Fällen abuse mails zu verschicken, aber das hab ich schon lange aufgegeben. Nutzt einfach nix, weil 2 Tage später ne neue IP das selbe versucht. Solange die Angriffe immer nach dem selben Schema ablaufen, sprich simple Wörterbuch Attacken mit immer den selben Standard Benutzernamen (Admin, DB2Admin,...) juckt mich das absolut nicht, denn solche Standardaccounts sind bei mir ohnehin nicht existent bzw. längst umbenannt. Solange diese Loginversuche sich nicht negativ auf die Performance / Erreichbarkeit auswirken oder wirklich sehr spezifisch sind (z.B. gültiger Benutzername) würde ich sie einfach ignorieren.

uisge
05.05.13, 00:07
gebruttet
Mir wird übel ...

F4RR3LL
04.05.13, 23:46
Ich würde das log lesen....und nix machen.
Abuse wenn mir langweilig ist... aber sonst nix..
Gruß Sven

Mila432
04.05.13, 22:49
Zitat Zitat von Hook
Jup, default-Ports ändern hilft schonmal gegen das sog. "Hintergrundrauschen".
Wenn dann doch Einträge auftauchen, dann ist das schonmal ein Anzeichen dafür, dass es jemand auf deinen Server abgesehen hat. Alles andere ist wie schon gesagt relativ normal.
Aber dennoch sollte eine abuse-Meldung rausgehen, damit der entsprechende Serverhoster (hier OVH) reagieren kann.
Meiner Erfahrung nach kümmert sich OVH aber schon darum.
Danke !

Zitat Zitat von EvilMoe
Dann sperre die Ip per iptables.
OVH wird sich darum schon kümmern.
Danke habe ich gemacht . Hoffe es geht .

Zitat Zitat von fx123
Völlig normales Hintergrundrauschen im auth.log...

Irgendein Bot der massenhaft Server/IPs durchprobiert. Hat relativ sicher nichts mit dir persönlich zutun.
Doch , leider schon . Ich habe eine 6 Stunden sperre drinne , sonst wäre mehr log da .

Zitat Zitat von whyte
IP sperren und SSH Port ändern ... würde ich vorschlagen
Danke !

Hook
04.05.13, 20:08
Jup, default-Ports ändern hilft schonmal gegen das sog. "Hintergrundrauschen".
Wenn dann doch Einträge auftauchen, dann ist das schonmal ein Anzeichen dafür, dass es jemand auf deinen Server abgesehen hat. Alles andere ist wie schon gesagt relativ normal.
Aber dennoch sollte eine abuse-Meldung rausgehen, damit der entsprechende Serverhoster (hier OVH) reagieren kann.
Meiner Erfahrung nach kümmert sich OVH aber schon darum.

whyte
04.05.13, 19:54
IP sperren und SSH Port ändern ... würde ich vorschlagen

fx123
04.05.13, 14:53
Völlig normales Hintergrundrauschen im auth.log...

Irgendein Bot der massenhaft Server/IPs durchprobiert. Hat relativ sicher nichts mit dir persönlich zutun.

EvilMoe
04.05.13, 13:16
Dann sperre die Ip per iptables.
OVH wird sich darum schon kümmern.

Mila432
04.05.13, 13:04
Da mir weder der Support noch sonst wer helfen will / antworten hier noch mal .

Attacke kommt von 5.135.162.118

Lines containing IP:5.135.162.118 in /var/log/auth.log

Apr 30 12:05:00 ks3292205 sshd[20650]: Did not receive identification string from 5.135.162.118
Apr 30 15:09:57 ks3292205 sshd[31100]: Invalid user 0 from 5.135.162.118
Apr 30 15:10:00 ks3292205 sshd[31100]: Failed password for invalid user 0 from 5.135.162.118 port 53550 ssh2
Apr 30 20:32:03 ks3292205 sshd[17205]: Invalid user teamspeak3 from 5.135.162.118
Apr 30 20:32:05 ks3292205 sshd[17205]: Failed password for invalid user teamspeak3 from 5.135.162.118 port 38920 ssh2
May 1 00:53:40 ks3292205 sshd[855]: Invalid user postgres from 5.135.162.118
May 1 00:53:43 ks3292205 sshd[855]: Failed password for invalid user postgres from 5.135.162.118 port 35089 ssh2
May 1 05:27:30 ks3292205 sshd[16718]: Invalid user clouduser from 5.135.162.118
May 1 05:27:32 ks3292205 sshd[16718]: Failed password for invalid user clouduser from 5.135.162.118 port 50099 ssh2
May 1 10:46:02 ks3292205 sshd[2769]: Invalid user sakura from 5.135.162.118
May 1 10:46:04 ks3292205 sshd[2769]: Failed password for invalid user sakura from 5.135.162.118 port 50029 ssh2
May 1 16:04:04 ks3292205 sshd[21084]: Failed password for root from 5.135.162.118 port 51555 ssh2
May 1 16:04:04 ks3292205 sshd[21084]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 1 16:04:06 ks3292205 sshd[21086]: Failed password for root from 5.135.162.118 port 51772 ssh2
May 1 21:28:19 ks3292205 sshd[7440]: Failed password for root from 5.135.162.118 port 33611 ssh2
May 1 21:28:19 ks3292205 sshd[7440]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 1 21:28:21 ks3292205 sshd[7451]: Failed password for root from 5.135.162.118 port 33795 ssh2
May 2 02:51:44 ks3292205 sshd[25843]: Failed password for root from 5.135.162.118 port 35549 ssh2
May 2 02:51:44 ks3292205 sshd[25843]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 2 02:51:46 ks3292205 sshd[25845]: Failed password for root from 5.135.162.118 port 35736 ssh2
May 2 08:16:35 ks3292205 sshd[12506]: Failed password for root from 5.135.162.118 port 46786 ssh2
May 2 08:16:35 ks3292205 sshd[12506]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 2 08:16:37 ks3292205 sshd[12508]: Failed password for root from 5.135.162.118 port 46986 ssh2
May 2 13:35:11 ks3292205 sshd[30514]: Failed password for root from 5.135.162.118 port 38855 ssh2
May 2 13:35:11 ks3292205 sshd[30514]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 2 13:35:13 ks3292205 sshd[30517]: Failed password for root from 5.135.162.118 port 39062 ssh2
May 2 18:52:56 ks3292205 sshd[16228]: Failed password for root from 5.135.162.118 port 41864 ssh2
May 2 18:52:56 ks3292205 sshd[16228]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 2 18:52:58 ks3292205 sshd[16230]: Failed password for root from 5.135.162.118 port 42053 ssh2
May 3 00:06:35 ks3292205 sshd[2711]: Failed password for root from 5.135.162.118 port 53490 ssh2
May 3 00:06:35 ks3292205 sshd[2711]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 3 00:06:37 ks3292205 sshd[2713]: Failed password for root from 5.135.162.118 port 53683 ssh2
May 3 05:13:45 ks3292205 sshd[20389]: Failed password for root from 5.135.162.118 port 41445 ssh2
May 3 05:13:45 ks3292205 sshd[20389]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 3 05:13:48 ks3292205 sshd[20392]: Failed password for root from 5.135.162.118 port 41636 ssh2
May 3 10:25:30 ks3292205 sshd[6056]: Failed password for root from 5.135.162.118 port 51918 ssh2
May 3 10:25:30 ks3292205 sshd[6056]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 3 10:25:32 ks3292205 sshd[6058]: Failed password for root from 5.135.162.118 port 52163 ssh2
May 3 15:39:26 ks3292205 sshd[23822]: Failed password for root from 5.135.162.118 port 45560 ssh2
May 3 15:39:26 ks3292205 sshd[23822]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 3 20:50:30 ks3292205 sshd[9875]: Failed password for root from 5.135.162.118 port 39432 ssh2
May 3 20:50:30 ks3292205 sshd[9875]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 3 20:50:32 ks3292205 sshd[9877]: Failed password for root from 5.135.162.118 port 39606 ssh2
May 4 02:01:07 ks3292205 sshd[19536]: Failed password for root from 5.135.162.118 port 36485 ssh2
May 4 02:01:07 ks3292205 sshd[19536]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 4 02:01:09 ks3292205 sshd[19538]: Failed password for root from 5.135.162.118 port 36710 ssh2
May 4 07:10:40 ks3292205 sshd[5493]: Failed password for root from 5.135.162.118 port 34381 ssh2
May 4 07:10:40 ks3292205 sshd[5493]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]
May 4 07:10:43 ks3292205 sshd[5495]: Failed password for root from 5.135.162.118 port 34568 ssh2
May 4 12:18:41 ks3292205 sshd[23483]: Failed password for root from 5.135.162.118 port 45541 ssh2
May 4 12:18:41 ks3292205 sshd[23483]: Received disconnect from 5.135.162.118: 11: Bye Bye [preauth]