Hello Mr Chinese IP based hacker

JaredBusch

128.52 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=51491 DF PROTO=TCP SPT=51270 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
May 19 17:26:35 aci sshd[16219]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:26:43 aci sshd[16219]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:26:43 aci kernel: [WAN_LOCAL-20-D]IN=eth2 OUT= MAC=dc:9f:db:80:12:7d:9c:ad:97:ee:6b:6d:08:00 SRC=107.77.216.151 DST=68.188.29.138 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=2079 DF PROTO=TCP SPT=27903 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
May 19 17:26:46 aci sshd[16223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:26:53 aci sshd[16223]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:26:56 aci sshd[16225]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:27:04 aci sshd[16225]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:27:07 aci sshd[16228]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:27:07 aci kernel: [WAN_LOCAL-20-D]IN=eth2 OUT= MAC=dc:9f:db:80:12:7d:9c:ad:97:ee:6b:6d:08:00 SRC=107.77.233.185 DST=68.188.29.138 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=46625 DF PROTO=TCP SPT=17331 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
May 19 17:27:14 aci sshd[16228]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:27:17 aci sshd[16230]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:27:18 aci kernel: [WAN_LOCAL-20-D]IN=eth2 OUT= MAC=dc:9f:db:80:12:7d:9c:ad:97:ee:6b:6d:08:00 SRC=162.208.22.36 DST=68.188.29.138 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=41631 DF PROTO=TCP SPT=80 DPT=53895 WINDOW=60 RES=0x00 ACK FIN URGP=0
May 19 17:27:24 aci sshd[16230]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root
May 19 17:27:27 aci sshd[16234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.88.177.98  user=root

0_1463697189987_upload-b3a62b31-f458-4686-ae60-fc94ced51c44

JaredBusch

Now to look at my firewall rules and find out why this is even possible. SSH is not supposed to be accessible from the WAN interface.

Dashrender

is it normal for the login name to be blank?

JaredBusch

@Dashrender said in Hello Mr Chinese IP based hacker:

is it normal for the login name to be blank?

The user is root in that sample. Did you misread logname?

Dashrender

@JaredBusch said in Hello Mr Chinese IP based hacker:

@Dashrender said in Hello Mr Chinese IP based hacker:

is it normal for the login name to be blank?

The user is root in that sample. Did you misread logname?

So I did.

thwr

Just add a ban for 2 hours after 3 failed logins, will hurt much on their script.

Added country block (automatically updated CIDR ranges) to my firewalls (pfSense in this case) a few years ago, anything but my country gets blocked. I'm not seeing many attempts anymore since then. This won't help against a professional attempt, but you get rid of 99% of the kiddies.

JaredBusch

@thwr said in Hello Mr Chinese IP based hacker:

Just add a ban for 2 hours after 3 failed logins, will hurt much on their script.

Added country block (automatically updated CIDR ranges) to my firewalls (pfSense in this case) a few years ago, anything but my country gets blocked. I'm not seeing many attempts anymore since then. This won't help against a professional attempt, but you get rid of 99% of the kiddies.

That is a bunch of wasted processing. The connection should simply be dropped and never allowed period.

thwr

@JaredBusch Sure, is just a quick fix.

travisdh1

Just because the port is closed, that doesn't mean you won't get login attempts to said port. Why it's reaching pam instead of just being dropped tho? That's worrying.

JaredBusch

@travisdh1 said in Hello Mr Chinese IP based hacker:

Just because the port is closed, that doesn't mean you won't get login attempts to said port. Why it's reaching pam instead of just being dropped tho? That's worrying.

Right, there is not accept rule for port 22 on the WAN_LOCAL firewall set that is applied. The default for the rule is a drop.

So nothing should have ever even shown up. because it should be dropped by default.

I added a drop all for port 22 as the first rule (even before the established/related) and it started dropping. At that point I went to bed. I will get back to it this afternoon.

Ambarishrh

Almost the same thing happened on one of my servers, funny the guy trying few usernames including "ajay" an indian name!

Time: Fri May 20 15:38:41 2016 +0400
IP: 27.221.10.43 (CN/China/-)
Failures: 20 (sshd)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

May 20 15:35:47 vcdc-test sshd[10105]: Invalid user a from 27.221.10.43
May 20 15:35:51 vcdc-test sshd[10197]: Invalid user b from 27.221.10.43
May 20 15:36:25 vcdc-test sshd[10222]: Invalid user user1 from 27.221.10.43
May 20 15:36:55 vcdc-test sshd[10257]: Invalid user oracle from 27.221.10.43
May 20 15:36:59 vcdc-test sshd[10259]: Invalid user oracle from 27.221.10.43
May 20 15:37:27 vcdc-test sshd[10281]: Invalid user postgres from 27.221.10.43
May 20 15:37:29 vcdc-test sshd[10287]: Invalid user test from 27.221.10.43
May 20 15:37:32 vcdc-test sshd[10289]: Invalid user test from 27.221.10.43
May 20 15:37:59 vcdc-test sshd[10316]: Invalid user nagios from 27.221.10.43
May 20 15:38:10 vcdc-test sshd[10324]: Invalid user test from 27.221.10.43
May 20 15:38:16 vcdc-test sshd[10328]: Invalid user ubuntu from 27.221.10.43
May 20 15:38:18 vcdc-test sshd[10332]: Invalid user geoadmin from 27.221.10.43
May 20 15:38:21 vcdc-test sshd[10334]: Invalid user geoadmin from 27.221.10.43
May 20 15:38:24 vcdc-test sshd[10336]: Invalid user jonesst1 from 27.221.10.43
May 20 15:38:26 vcdc-test sshd[10338]: Invalid user jonesst1 from 27.221.10.43
May 20 15:38:29 vcdc-test sshd[10340]: Invalid user server from 27.221.10.43
May 20 15:38:32 vcdc-test sshd[10342]: Invalid user server from 27.221.10.43
May 20 15:38:34 vcdc-test sshd[10344]: Invalid user smithsi from 27.221.10.43
May 20 15:38:37 vcdc-test sshd[10346]: Invalid user smithsi from 27.221.10.43
May 20 15:38:40 vcdc-test sshd[10348]: Invalid user ajay from 27.221.10.43

tonyshowoff

That's why we set any WAN-fancing SSH port to something obscenely high like 41022, not for "security" but because of the logs. In fact, all of our sshd services run following that pattern, as does our internal HTTP(S) servers but the load balancers take in 80/443.

This prevents as many services as possible from running as root, which anything running port < 1024 does. I don't think most people even know this. At the very least if there's a NAT in play, one can always set ssh and web services ports much higher and just translate the ports to avoid the same issue.

(I know there are some work arounds like setcap on Linux, but in general this is the default behaviour on most machines)

For some reason this made me think of The Venture Bros, Hunter Gather says:

And we want your sad ass undercover agents to stop trying to infiltrate our group. Frankly we're tired of killing them and we can't afford the body bags!

wirestyle22

@tonyshowoff said in Hello Mr Chinese IP based hacker:

That's why we set any WAN-fancing SSH port to something obscenely high like 41022, not for "security" but because of the logs. In fact, all of our sshd services run following that pattern, as does our internal HTTP(S) servers but the load balancers take in 80/443.

This prevents as many services as possible from running as root, which anything running port < 1024 does. I don't think most people even know this. At the very least if there's a NAT in play, one can always set ssh and web services ports much higher and just translate the ports to avoid the same issue.

(I know there are some work arounds like setcap on Linux, but in general this is the default behaviour on most machines)

For some reason this made me think of The Venture Bros, Hunter Gather says:

And we want your sad ass undercover agents to stop trying to infiltrate our group. Frankly we're tired of killing them and we can't afford the body bags!

Useful piece of information. Thanks!