brute force on ssh
I was doing a bit maintenance on my server when I discovered a brute force attempt on port 22 (SSH). The brute force activities comes from several IP addresses and it seems that the crackers were targetting the root account and in some cases, they were using dictionary attacks on the username.
The IP addresses involved in the cracking activities were 61.132.120.221 / 190.2.37.65 / 85.25.144.136 / 85.14.221.75 / 69.80.235.135 / 202.129.29.133 (brute forcing root account) and 61.136.145.5 / 85.14.221.75 / 202.129.29.133 / 190.65.162.154 / 74.63.192.11 (brute forcing user accounts). The most fucking culprit in the cracking activities is 85.25.144.136 where it still continues attacking since 3 days ago. Geez! What a fucking auto-bot. 
The IP's were traced back to some boxes, probably zombies, and some were coming from various locations throughout China, USA, etc.
To prevent the fuckers / future fuckers from flooding my log files with shitz, I could easily change the SSH port (/etc/ssh/sshd_config) to other than the default (port 22) but I afraid this might affect some configs on the HyperVM control panel and if they're doing some port scanning on my box, they still can find the SSH port and continue their attack. Instead, I'll use IPTables as a firewall to block any unauthorized attempt to the SSH console.
Since my box is not equipped with iptables, I need to install the package first. A simple installation using apt-get;
root@vps:~# apt-get install iptables
Then I reconfigure my box to drop any ICMP request so that my box will not respond to any ping request. This is useful to prevent host discovery and target scanning.
root@vps:~# iptables -A INPUT -p icmp -j DROP
And then to prevent attacks on the ssh port, I install SSHGuard;
root@vps:~# apt-get install sshguard
From the documentation page, I reconfigure the SSHGuard to suite my system using syslog and iptables.
Create a new blocking chain for sshguard;
root@vps:~# iptables -N sshguard
protect port 22 using sshguard;
root@vps:~# iptables -A INPUT -p tcp --dport 22 -j sshguard
**to install killall command (as in the instruction), run;
apt-get install psmisc
The new iptables list is as below;
root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
sshguard tcp -- anywhere anywhere tcp dpt:ssh
DROP icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sshguard (1 references)
target prot opt source destination
Finally, I reboot my box for the new configuration to take place. 
Now, die Noobs!
**Update:
After a few hours setting the firewall, I got my first victim! Kill sKiddies! 
Die Noobs! 
The victim's IP is now blocked from accessing my server for a certain time;
root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
sshguard tcp -- anywhere anywhere tcp dpt:ssh
DROP icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sshguard (1 references)
target prot opt source destination
DROP all -- 89-97-241-4.ip19.fastwebnet.it anywhere
All requests from every protocol (tcp,udp,etc.) on every port from the attacker's hostname is dropped. The auth.log file showed the process that sshguard performed on the attacker's IP;
root@vps:~# cat /var/log/auth.log
Jan 20 17:27:58 vps sshguard[3511]: Releasing 89.97.241.4 after 521 seconds.
Jan 20 17:27:58 vps sshguard[3511]: Setting environment: SSHG_ADDR=89.97.241.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10.
Jan 20 17:27:58 vps sshguard[3511]: Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
The IP is blocked for 521 seconds (about 9 minutes) and after that the IP is automatically removed from the iptables. Although the ban is not permanent, this can stop automatic bots from continuing to waste my bandwidth and flooding my log file with crapz. 
No related posts.