Ssh – Have I just been under attack

Securityssh

I have set up my Debian server on HP ProLiant 360 G4 yesterday. I started off with minimum services, running only SSH and Apache, all on standard ports with default configurations.

About an hour ago, I noticed odd behaviour of the system. The latency raised noticeably and I could not perform remote reboot. I managed to get the server off network in about 15 minutes.

I have been going through the logs and found these entries in auth.log:

Apr  3 17:31:35 karel sshd[25941]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:35 karel sshd[25941]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:35 karel sshd[25941]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:37 karel sshd[25941]: Failed password for invalid user takeuchi from 70.61.237.202 port 53004 ssh2
Apr  3 17:31:37 karel sshd[25941]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:31:39 karel sshd[25943]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:31:39 karel sshd[25943]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:39 karel sshd[25943]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:39 karel sshd[25943]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:41 karel sshd[25943]: Failed password for invalid user takeuchi from 70.61.237.202 port 30756 ssh2
Apr  3 17:31:41 karel sshd[25943]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:31:42 karel sshd[25945]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:31:42 karel sshd[25945]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:42 karel sshd[25945]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:42 karel sshd[25945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:45 karel sshd[25945]: Failed password for invalid user takeuchi from 70.61.237.202 port 43388 ssh2
Apr  3 17:31:45 karel sshd[25945]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:31:46 karel sshd[25947]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:31:46 karel sshd[25947]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:46 karel sshd[25947]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:46 karel sshd[25947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:49 karel sshd[25947]: Failed password for invalid user takeuchi from 70.61.237.202 port 29640 ssh2
Apr  3 17:31:49 karel sshd[25947]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:31:50 karel sshd[25949]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:31:50 karel sshd[25949]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:50 karel sshd[25949]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:50 karel sshd[25949]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:52 karel sshd[25949]: Failed password for invalid user takeuchi from 70.61.237.202 port 56323 ssh2
Apr  3 17:31:52 karel sshd[25949]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:31:54 karel sshd[25951]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:31:54 karel sshd[25951]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:54 karel sshd[25951]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:54 karel sshd[25951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:56 karel sshd[25951]: Failed password for invalid user takeuchi from 70.61.237.202 port 54603 ssh2
Apr  3 17:31:56 karel sshd[25951]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:31:57 karel sshd[25953]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:31:57 karel sshd[25953]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:31:57 karel sshd[25953]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:31:57 karel sshd[25953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:31:59 karel sshd[25953]: Failed password for invalid user takeuchi from 70.61.237.202 port 30332 ssh2
Apr  3 17:31:59 karel sshd[25953]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:01 karel sshd[25955]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:32:01 karel sshd[25955]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:32:01 karel sshd[25955]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:01 karel sshd[25955]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:03 karel sshd[25955]: Failed password for invalid user takeuchi from 70.61.237.202 port 30855 ssh2
Apr  3 17:32:03 karel sshd[25955]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:04 karel sshd[25957]: Invalid user takeuchi from 70.61.237.202
Apr  3 17:32:04 karel sshd[25957]: input_userauth_request: invalid user takeuchi [preauth]
Apr  3 17:32:04 karel sshd[25957]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:04 karel sshd[25957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:07 karel sshd[25957]: Failed password for invalid user takeuchi from 70.61.237.202 port 31154 ssh2
Apr  3 17:32:07 karel sshd[25957]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:08 karel sshd[25959]: Invalid user wut from 70.61.237.202
Apr  3 17:32:08 karel sshd[25959]: input_userauth_request: invalid user wut [preauth]
Apr  3 17:32:08 karel sshd[25959]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:08 karel sshd[25959]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:11 karel sshd[25959]: Failed password for invalid user wut from 70.61.237.202 port 59904 ssh2
Apr  3 17:32:11 karel sshd[25959]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:12 karel sshd[25961]: Invalid user wut from 70.61.237.202
Apr  3 17:32:12 karel sshd[25961]: input_userauth_request: invalid user wut [preauth]
Apr  3 17:32:12 karel sshd[25961]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:12 karel sshd[25961]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:14 karel sshd[25961]: Failed password for invalid user wut from 70.61.237.202 port 45945 ssh2
Apr  3 17:32:14 karel sshd[25961]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:15 karel sshd[25963]: Invalid user wut from 70.61.237.202
Apr  3 17:32:15 karel sshd[25963]: input_userauth_request: invalid user wut [preauth]
Apr  3 17:32:15 karel sshd[25963]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:15 karel sshd[25963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:18 karel sshd[25963]: Failed password for invalid user wut from 70.61.237.202 port 52652 ssh2
Apr  3 17:32:18 karel sshd[25963]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:19 karel sshd[25965]: Invalid user wut from 70.61.237.202
Apr  3 17:32:19 karel sshd[25965]: input_userauth_request: invalid user wut [preauth]
Apr  3 17:32:19 karel sshd[25965]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:19 karel sshd[25965]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:21 karel sshd[25965]: Failed password for invalid user wut from 70.61.237.202 port 34513 ssh2
Apr  3 17:32:21 karel sshd[25965]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]
Apr  3 17:32:23 karel sshd[25967]: Invalid user wut from 70.61.237.202
Apr  3 17:32:23 karel sshd[25967]: input_userauth_request: invalid user wut [preauth]
Apr  3 17:32:23 karel sshd[25967]: pam_unix(sshd:auth): check pass; user unknown
Apr  3 17:32:23 karel sshd[25967]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-70-61-237-202.central.biz.rr.com 
Apr  3 17:32:24 karel sshd[25967]: Failed password for invalid user wut from 70.61.237.202 port 32538 ssh2
Apr  3 17:32:24 karel sshd[25967]: Received disconnect from 70.61.237.202: 11: Bye Bye [preauth]

Should I be worried about potential system breach? I use strong password for my account and root login was disabled at the time. Will it help if I open different port for SSH?

Thanks!

Best Answer

Yes, you're under attack, and yes you should be concerned about a system breach, even with a strong SSH password.

You should:

Implement fail2ban
Move SSH to a non-standard port.
- Moving SSH won't prevent a dedicated attacker from finding where your service is anyway, but it will foil the bots that are used for the vast majority of these remote brute-force attacks. They only ever go after the default port.
Set up certificate authentication for SSH logins.

Best Answer

Related Solutions

Linux – Add user in CentOS 5

Ubuntu – Loggin in ssh server: Permission denied, please try again

Related Topic