Server Getting Hammered
Results 1 to 5 of 5

Thread: Server Getting Hammered

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    20

    Angry Server Getting Hammered

    So I am a new administrator to a game server and I am looking at the logs. I do not know all the information about this game server; it is a Linux Debian server 2.6.8-2-386. This server is on a public network because it is a game server. I notice in my auth.log that there are many (many…many) entries to SSH
    May 17 15:58:57 localhost sshd[21015]: Illegal user test from ::ffff:125.7.209.10
    May 17 15:59:09 localhost sshd[21023]: Illegal user guest from ::ffff:125.7.209.10
    May 17 15:59:12 localhost sshd[21025]: Illegal user master from ::ffff:125.7.209.10
    May 17 15:59:52 localhost sshd[21049]: Illegal user test from ::ffff:125.7.209.10
    May 17 15:59:54 localhost sshd[21051]: Illegal user test from ::ffff:125.7.209.10
    May 17 15:59:57 localhost sshd[21053]: Illegal user webmaster from ::ffff:125.7.209.10
    May 17 15:59:59 localhost sshd[21055]: Illegal user username from ::ffff:125.7.209.10
    May 17 16:00:01 localhost sshd[21057]: Illegal user user from ::ffff:125.7.209.10

    There are hundreds of these and I was wondering it this is a dictionary attempt to the log in with ssh? They are comming from different address too. Any information would be a great help.

    -GA
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    This is from a fairly old SSH grinder tool (skiddie tool) out there. I've seen log entries like this on practically every internet facing server I've worked on that did not use wrappers.

    Do yourself a favor, use TCP wrappers on your SSH service and this headache will go away.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    The problem is that there are many people that need to log into this box remotely. Is there any way that after 3 failed attempts to that port the IP is banned for a certain amount of time???

    -Thanks
    -GA
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  4. #4
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    anyone ever use sshdfilter???
    Jive Lady: Jus\' hang loose, blood. She gonna catch ya up on da\' rebound on da\' med side.
    Second Jive Dude: What it is, big mama? My mama no raise no dummies. I dug her rap!
    Jive Lady: Cut me some slack, Jack! Chump don\' want no help, chump don\'t GET da\' help! Jive ass dude don\'t got no brains anyhow! Hmmph!

  5. #5
    Have a look at DenyHosts. Not so hard to config / setup.

    Also another idea is to use only ssh key authentification logins depending on your users.

    Good luck.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •