Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Normal with 200 perm bans in CSF firewall when port 22 is open? China hack.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Normal with 200 perm bans in CSF firewall when port 22 is open? China hack.

myhkenmyhken Member
edited February 2014 in Help

Hello.

I'm not using port 22 as standard SSH port on most of my servers, but I forgot to change port on two servers, one server in the US and one in Norway.
Yesterday I did notice that both had got 200 permanent bans in CSF firwall, all from failed SSH logins, most IPs from China.

Is this normal on all servers using port 22 as SSH port?

I have no perm bans on my 15 other servers using a different port, so it has to be port 22. Still, why do China use so much time to try to logon to my personal servers in the US and Norway?

61.147.103.7 # lfd: (sshd) Failed SSH login from 61.147.103.7 (CN/China/-): 5 in the last 3600 secs - Tue Feb 18 16:51:32 2014 222.186.62.62 # lfd: (sshd) Failed SSH login from 222.186.62.62 (CN/China/-): 5 in the last 3600 secs - Tue Feb 18 17:46:18 2014 222.186.62.20 # lfd: (sshd) Failed SSH login from 222.186.62.20 (CN/China/-): 5 in the last 3600 secs - Tue Feb 18 22:42:07 2014 218.2.22.145 # lfd: (sshd) Failed SSH login from 218.2.22.145 (CN/China/-): 5 in the last 3600 secs - Wed Feb 19 00:30:42 2014 176.117.127.168 # lfd: (sshd) Failed SSH login from 176.117.127.168 (RU/Russian Federation/-): 5 in the last 3600 secs - Wed Feb 19 09:04:22 2014 222.186.62.69 # lfd: (sshd) Failed SSH login from 222.186.62.69 (CN/China/-): 5 in the last 3600 secs - Wed Feb 19 22:00:18 2014 58.221.82.14 # lfd: (sshd) Failed SSH login from 58.221.82.14 (CN/China/-): 5 in the last 3600 secs - Thu Feb 20 03:20:30 2014 64.15.159.20 # lfd: (sshd) Failed SSH login from 64.15.159.20 (CA/Canada/-): 5 in the last 3600 secs - Thu Feb 20 03:30:00 2014 70.33.211.25 # lfd: (sshd) Failed SSH login from 70.33.211.25 (US/United States/-): 5 in the last 3600 secs - Thu Feb 20 08:06:49 2014 138.91.188.41 # lfd: (sshd) Failed SSH login from 138.91.188.41 (US/United States/-): 5 in the last 3600 secs - Fri Feb 21 06:02:20 2014 222.84.118.27 # lfd: (sshd) Failed SSH login from 222.84.118.27 (CN/China/-): 5 in the last 3600 secs - Fri Feb 21 07:03:56 2014 115.68.22.162 # lfd: (sshd) Failed SSH login from 115.68.22.162 (KR/Korea, Republic of/-): 5 in the last 3600 secs - Fri Feb 21 16:17:55 2014

Comments

  • Yes. That's normal. Stupid brute-force bots...

    Thanked by 1myhken
  • Monsta_AUMonsta_AU Member
    edited February 2014

    China has the largest number of pirated WinXP installs in the world. Now imagine how many of them actually get patched. Most of them are part of a huge botnet looking for chinks in the armour of well-connected machines.

    Why send from your botnet when they might do 1-5 emails a second and get spamlisted fast, possibly alerting the hardware owner to the compromise when you can compromise a faster, better connected machine that will send 1000 emails a second?

    To answer your question, yes, it pretty much is par for the course when you leave :22 open. The first thing you should do is move it to a non-standard port, or firewall it off to trusted IP's only. My VPSes are open on :2222 but still get the occasional hit as it is one that some coders would generally think of as an alternate (222;2022;10022;22022;22222 all obvious alternates). That said, it cuts down 98% of the scriptkiddie attacks.

    I have been seeing large amounts of hits against SMTP of late, and we are talking 80 bans in the space of 5-10 mins as the botnet gets new instructions. Mostly over the last few days, mine have been coming from Vietnam, China, Taiwan, Kazakhstan, Russia, Ukraine, Dubai, Suth Africa, Nederlands.... everywhere!

    Don't worry, CSF is doing its job.

    Thanked by 2myhken Magiobiwan
  • This is very normal .We face it daily.

    Thanked by 1myhken
  • Good that they don't try all port numbers then, since I have no issues at all on my servers using another port number then 22.

  • just disable root login and create one user to have root privileges. but yeah changing ports is ideal.

  • Normal. I've been tempted to block China and Taiwan entirely.

    Thanked by 1raindog308
  • its very normal for port 22 for any ip. i had a private server which host nothing just for testing and it's a dsl connection... still got ssh logins like yours :) never use port 22 :(

  • @namhuy said:
    its very normal for port 22 for any ip. i had a private server which host nothing just for testing and it's a dsl connection... still got ssh logins like yours :) never use port 22 :(

    Or just whitelist a couple IPs and drop everything else. That'll keep those logs clean!

  • @lelewku said:
    just disable root login and create one user to have root privileges. but yeah changing ports is ideal.

    So I can just make another "root" user, that works just the same way as the root user?

  • raindog308raindog308 Administrator, Veteran

    Changing your port should be standard practice. Geo-blocking China is another option.

    95-99% of blocks my CSFs put in place are from CN (pop3 is another favorite). The other 1-5% I write abuse@ :-)

    Seems I'm writing [email protected] lately...

  • @myhken said:

    well those botnets attempt and always try to ssh the root on port 22.

  • Monsta_AUMonsta_AU Member
    edited February 2014

    The best way is to go for certificate-based authentication. Don't even allow a password prompt. It confuses the #!&^ out of the scripts!

    I am a CentOS user, mainly as in my line of work we use RHEL-based distros. It could be RHEL itself, CentOS or Scientific. It's rare to get a Debian-based distro like Ubuntu or Mint in our client base. So therefore I like the CentOS Wiki article: http://wiki.centos.org/HowTos/Network/SecuringSSH

    There's also some good ideas at http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html too - NixCraft have heaps of great articles.

    Thanked by 1raindog308
  • howardsl2howardsl2 Member
    edited February 2014

    As others have mentioned, moving the SSH port to a non-standard one is a good idea. In addition, you can implement something like this in IPTables:

    # Put this rule on top of INPUT chain.
    -I INPUT -m recent --update --seconds 600 --hitcount 1 --name SSHSCAN -j DROP
    ... ...
    -A INPUT -p tcp --dport 22 -m recent --set --name SSHSCAN -j DROP
    

    Whenever someone scans the standard SSH port (22), he or she will be blocked from accessing ALL ports on your server for 10 minutes (configurable).

  • @Monsta_AU said:
    China has the largest number of pirated WinXP installs in the world. Now imagine how many of them actually get patched. Most of them are part of a huge botnet looking for chinks in the armour of well-connected machines.

    Why send from your botnet when they might do 1-5 emails a second and get spamlisted fast, possibly alerting the hardware owner to the compromise when you can compromise a faster, better connected machine that will send 1000 emails a second?

    To answer your question, yes, it pretty much is par for the course when you leave :22 open. The first thing you should do is move it to a non-standard port, or firewall it off to trusted IP's only. My VPSes are open on :2222 but still get the occasional hit as it is one that some coders would generally think of as an alternate (222;2022;10022;22022;22222 all obvious alternates). That said, it cuts down 98% of the scriptkiddie attacks.

    I have been seeing large amounts of hits against SMTP of late, and we are talking 80 bans in the space of 5-10 mins as the botnet gets new instructions. Mostly over the last few days, mine have been coming from Vietnam, China, Taiwan, Kazakhstan, Russia, Ukraine, Dubai, Suth Africa, Nederlands.... everywhere!

    Don't worry, CSF is doing its job.

    I will leave this here, someone else posted this here and I don't remember who.

    https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/

  • Brute force is all they know. Good God they lack imagination...

  • I agree with the last post on that link. Nothing wrong with obscurity... just do not make it your only defence.

    The whole point is to remove the bot and possible zero-day exploits. I have CSF running behind it and fairly tightly I might add. If anything changes, I will get a key change warning, which is when I get direct console access to see what is going on.

    Anyway this is completely off-topic, just remember to not rely on ONE security method.

  • @Monsta_AU said:
    I have been seeing large amounts of hits against SMTP of late

    Same here at work we disabled SSH to IPs only now they just attack POP/IMAP Auth ...

  • Install kippo or kojoney, and that will guarantee you some amazing and amusing entertainment. :)

  • CSF does the job, just configure to block for more than just 24 hours on a temp. I find 72 hours dissuades them hard.

    Thanked by 1myhken
Sign In or Register to comment.