What do I do about this ssh script attack?


I have sshd running on my Linux box (Debian distro). The router routs all ssh requests to that box only. I was looking in my logs for some reason, and I saw the following in auth.log:

Jun 12 14:13:04 localhost sshd[16686]: Illegal user play from
Jun 12 14:13:05 localhost sshd[16688]: Illegal user open from
Jun 12 14:13:07 localhost sshd[16690]: Illegal user dulap from
Jun 12 14:13:09 localhost sshd[16692]: Illegal user if from
Jun 12 14:13:10 localhost sshd[16694]: Illegal user uk from
Jun 12 14:13:12 localhost sshd[16696]: Illegal user us from
Jun 12 14:13:14 localhost sshd[16698]: Illegal user alinus from
Jun 12 14:13:15 localhost sshd[16700]: Illegal user rumeno from
Jun 12 14:13:17 localhost sshd[16702]: Illegal user it from

It goes on and on. Looking back, this happens to me a lot, and not always from the same IP. runnig grep on the whole log directory, the lame-ass scripts don’t try any of my actual user names, so I don’t even know what it would try to do if it found a valid username - brute force the password maybe?

Anyway, this annoys me, and it seems like this would be against most provider’s terms and conditions. Is there any way I can try to notify the providers that there are users not playing nice? I would love to get some of these punks kicked off of their service or something. Or is it not even worth the hassle?

Yah, I get this too. I’ve taken to simply banning the IP. It’s like swatting flies, though; always more where they came from.

Any script kiddie worth the name will be doing this from other machines that have already been comprimised or public computers, not directly from their own connection. Of course, it would be nice to let the owners of the robots know they need to clean house.

Let me also add you could probably cut down on this by using a non-standard port.

I second that. It doesn’t really provide more security, but using a non-standard port means you will not match the search conditions of most scripts.

Any script kiddie with a room-temperature IQ can run a port-scanning program to find out which ports are active and then script attacks from there.

It takes more time, though. That might be enough to dissuade the asshole.

You can try it and it might reduce the incidence of attacks, but don’t fool yourself into thinking you’ve become any more secure.

Yeah, it would be nice to let people know that their computer is a zombie, but I have no idea how I would go about doing it. I’m sure an ISP would not give out an email address based on an IP address that’s probably dynamic and could have changed already. I also have no way of knowing if I’m just seeing a router on a company network or something. I don’t think I’m going to bother.

I may implement some sort of port-knocking sollution, like this one [linuxjournal.com]. Derleth, I think this this would actually increase my security quite a bit. Apparently there are knocking clients that will connect to your knock ports to open port 22, and can also knock other ports to close 22 again when you’re done. Might be overkill, but doesn’t seem like a lot of work. It’s my personal machine, so I don’t really have to worry about making it available to other users.

One last question - what’s the easiest way to see if I’m being port-scanned? I would be especially interested in seeing if people are trying to connect to daemons that I don’t even realize I have running. I’m finding Debian to be quite easy to work with, but it definitely installs and runs a lot more services out of the box than Gentoo did. That’s the trade-off, I guess.

Tower Dweller: That port-knocking solution looks good. It’s the equivalent of a second password, though, with all the good and bad that entails: If a lot of people use the same sequence, the bad guys will learn it and invalidate the scheme. The up-side is that sequences should be more difficult to guess: There’s no dictionary they can look through to aid brute-forcing.

http://www.openwall.com/scanlogd/ - scanlogd is a tool designed to detect port-scanning. You can get more information from a good Google search. This Phrack article might be of interest as well.

The scans I’m getting actually probe non-standard ports.

I second scanlogd as a scan detector. You should also get logcheck to detect other anomalies in your logfiles. Both have been packaged for Debian:


You should also read the “Securing Debian Manual”: http://www.debian.org/doc/manuals/securing-debian-howto/