Help - Search - Members - Calendar
Full Version: theplanet trying to login or attack?
The Planet Forums > Security > General Security > UNIX Security
ZeusChicago
Nov 7 2005, 11:09 PM
If someone from the planet was trying to login to my system and could not would I get a ticket opened about it or an email? I think this is just an outside attack, but wanted to check to make sure.

NOTE* I do have direct root login disabled, and the corret login/password for the account that does in Orbits

The IP appears to be from a university in New York

Z

CODE
The following are event logs from 128.122.20.68 on service sshd (all time stamps are GMT -0600):



Nov  7 22:07:12 jamesbodine sshd[23767]: Did not receive identification string from 128.122.20.68

Nov  7 22:07:12 jamesbodine sshd[23768]: Did not receive identification string from 128.122.20.68

Nov  7 22:07:12 jamesbodine sshd[23769]: Did not receive identification string from 128.122.20.68

Nov  7 22:07:12 jamesbodine sshd[23770]: Did not receive identification string from 128.122.20.68

Nov  7 22:07:12 jamesbodine sshd[23771]: Did not receive identification string from 128.122.20.68

Nov  7 22:35:15 jamesbodine sshd[25694]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:15 jamesbodine sshd[25695]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:15 jamesbodine sshd[25700]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:15 jamesbodine sshd[25699]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:16 jamesbodine sshd[25703]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:17 jamesbodine sshd[25694]: Failed password for illegal user theplanet from 128.122.20.68 port 44560 ssh2

Nov  7 22:35:18 jamesbodine sshd[25695]: Failed password for illegal user theplanet from 128.122.20.68 port 44565 ssh2

Nov  7 22:35:18 jamesbodine sshd[25699]: Failed password for illegal user theplanet from 128.122.20.68 port 44578 ssh2

Nov  7 22:35:18 jamesbodine sshd[25700]: Failed password for illegal user theplanet from 128.122.20.68 port 44580 ssh2

Nov  7 22:35:18 jamesbodine sshd[25707]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:18 jamesbodine sshd[25709]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:18 jamesbodine sshd[25711]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:18 jamesbodine sshd[25712]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:19 jamesbodine sshd[25703]: Failed password for illegal user theplanet from 128.122.20.68 port 44588 ssh2

Nov  7 22:35:19 jamesbodine sshd[25715]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:20 jamesbodine sshd[25707]: Failed password for illegal user theplanet from 128.122.20.68 port 44670 ssh2

Nov  7 22:35:21 jamesbodine sshd[25709]: Failed password for illegal user theplanet from 128.122.20.68 port 44675 ssh2

Nov  7 22:35:21 jamesbodine sshd[25718]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:21 jamesbodine sshd[25720]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:22 jamesbodine sshd[25711]: Failed password for illegal user theplanet from 128.122.20.68 port 44681 ssh2

Nov  7 22:35:22 jamesbodine sshd[25712]: Failed password for illegal user theplanet from 128.122.20.68 port 44683 ssh2

Nov  7 22:35:23 jamesbodine sshd[25723]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:23 jamesbodine sshd[25715]: Failed password for illegal user theplanet from 128.122.20.68 port 44711 ssh2

Nov  7 22:35:23 jamesbodine sshd[25726]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:23 jamesbodine sshd[25729]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:26 jamesbodine sshd[25718]: Failed password for illegal user theplanet from 128.122.20.68 port 44765 ssh2

Nov  7 22:35:26 jamesbodine sshd[25732]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:27 jamesbodine sshd[25720]: Failed password for illegal user theplanet from 128.122.20.68 port 44776 ssh2

Nov  7 22:35:27 jamesbodine sshd[25735]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:27 jamesbodine sshd[25723]: Failed password for illegal user theplanet from 128.122.20.68 port 44813 ssh2

Nov  7 22:35:28 jamesbodine sshd[25737]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:28 jamesbodine sshd[25726]: Failed password for illegal user theplanet from 128.122.20.68 port 44821 ssh2

Nov  7 22:35:28 jamesbodine sshd[25729]: Failed password for illegal user theplanet from 128.122.20.68 port 44843 ssh2

Nov  7 22:35:29 jamesbodine sshd[25739]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:29 jamesbodine sshd[25741]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:30 jamesbodine sshd[25732]: Failed password for illegal user theplanet from 128.122.20.68 port 44946 ssh2

Nov  7 22:35:30 jamesbodine sshd[25743]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:31 jamesbodine sshd[25735]: Failed password for illegal user theplanet from 128.122.20.68 port 44981 ssh2

Nov  7 22:35:31 jamesbodine sshd[25737]: Failed password for illegal user theplanet from 128.122.20.68 port 44998 ssh2

Nov  7 22:35:31 jamesbodine sshd[25745]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:31 jamesbodine sshd[25747]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:32 jamesbodine sshd[25741]: Failed password for illegal user theplanet from 128.122.20.68 port 45048 ssh2

Nov  7 22:35:32 jamesbodine sshd[25749]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:32 jamesbodine sshd[25739]: Failed password for illegal user theplanet from 128.122.20.68 port 45042 ssh2

Nov  7 22:35:33 jamesbodine sshd[25751]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:33 jamesbodine sshd[25743]: Failed password for illegal user theplanet from 128.122.20.68 port 45100 ssh2

Nov  7 22:35:34 jamesbodine sshd[25753]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:35 jamesbodine sshd[25745]: Failed password for illegal user theplanet from 128.122.20.68 port 45128 ssh2

Nov  7 22:35:35 jamesbodine sshd[25755]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:35 jamesbodine sshd[25747]: Failed password for illegal user theplanet from 128.122.20.68 port 45137 ssh2

Nov  7 22:35:36 jamesbodine sshd[25757]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:36 jamesbodine sshd[25749]: Failed password for illegal user theplanet from 128.122.20.68 port 45188 ssh2

Nov  7 22:35:37 jamesbodine sshd[25751]: Failed password for illegal user theplanet from 128.122.20.68 port 45214 ssh2

Nov  7 22:35:37 jamesbodine sshd[25759]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:37 jamesbodine sshd[25761]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:37 jamesbodine sshd[25753]: Failed password for illegal user theplanet from 128.122.20.68 port 45242 ssh2

Nov  7 22:35:38 jamesbodine sshd[25763]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:39 jamesbodine sshd[25755]: Failed password for illegal user theplanet from 128.122.20.68 port 45285 ssh2

Nov  7 22:35:39 jamesbodine sshd[25757]: Failed password for illegal user theplanet from 128.122.20.68 port 45306 ssh2

Nov  7 22:35:39 jamesbodine sshd[25766]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:40 jamesbodine sshd[25759]: Failed password for illegal user theplanet from 128.122.20.68 port 45348 ssh2

Nov  7 22:35:41 jamesbodine sshd[25769]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:41 jamesbodine sshd[25761]: Failed password for illegal user theplanet from 128.122.20.68 port 45364 ssh2

Nov  7 22:35:42 jamesbodine sshd[25771]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:42 jamesbodine sshd[25763]: Failed password for illegal user theplanet from 128.122.20.68 port 45385 ssh2

Nov  7 22:35:42 jamesbodine sshd[25766]: Failed password for illegal user theplanet from 128.122.20.68 port 45419 ssh2

Nov  7 22:35:43 jamesbodine sshd[25773]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:43 jamesbodine sshd[25775]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:43 jamesbodine sshd[25769]: Failed password for illegal user theplanet from 128.122.20.68 port 45483 ssh2

Nov  7 22:35:44 jamesbodine sshd[25777]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:44 jamesbodine sshd[25779]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:44 jamesbodine sshd[25771]: Failed password for illegal user theplanet from 128.122.20.68 port 45512 ssh2

Nov  7 22:35:45 jamesbodine sshd[25781]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:45 jamesbodine sshd[25773]: Failed password for illegal user theplanet from 128.122.20.68 port 45539 ssh2

Nov  7 22:35:46 jamesbodine sshd[25775]: Failed password for illegal user theplanet from 128.122.20.68 port 45544 ssh2

Nov  7 22:35:46 jamesbodine sshd[25783]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:46 jamesbodine sshd[25785]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:46 jamesbodine sshd[25777]: Failed password for illegal user theplanet from 128.122.20.68 port 45576 ssh2

Nov  7 22:35:47 jamesbodine sshd[25788]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:47 jamesbodine sshd[25779]: Failed password for illegal user theplanet from 128.122.20.68 port 45587 ssh2

Nov  7 22:35:47 jamesbodine sshd[25790]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:48 jamesbodine sshd[25781]: Failed password for illegal user theplanet from 128.122.20.68 port 45608 ssh2

Nov  7 22:35:49 jamesbodine sshd[25792]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:49 jamesbodine sshd[25783]: Failed password for illegal user theplanet from 128.122.20.68 port 45644 ssh2

Nov  7 22:35:50 jamesbodine sshd[25795]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:51 jamesbodine sshd[25785]: Failed password for illegal user theplanet from 128.122.20.68 port 45653 ssh2

Nov  7 22:35:52 jamesbodine sshd[25797]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:52 jamesbodine sshd[25788]: Failed password for illegal user theplanet from 128.122.20.68 port 45676 ssh2

Nov  7 22:35:52 jamesbodine sshd[25790]: Failed password for illegal user theplanet from 128.122.20.68 port 45693 ssh2

Nov  7 22:35:52 jamesbodine sshd[25799]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:53 jamesbodine sshd[25801]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:53 jamesbodine sshd[25792]: Failed password for illegal user theplanet from 128.122.20.68 port 45734 ssh2

Nov  7 22:35:54 jamesbodine sshd[25803]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:54 jamesbodine sshd[25795]: Failed password for illegal user theplanet from 128.122.20.68 port 45764 ssh2

Nov  7 22:35:54 jamesbodine sshd[25805]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:55 jamesbodine sshd[25797]: Failed password for illegal user theplanet from 128.122.20.68 port 45827 ssh2

Nov  7 22:35:55 jamesbodine sshd[25807]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:57 jamesbodine sshd[25799]: Failed password for illegal user theplanet from 128.122.20.68 port 45852 ssh2

Nov  7 22:35:58 jamesbodine sshd[25811]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:58 jamesbodine sshd[25801]: Failed password for illegal user theplanet from 128.122.20.68 port 45856 ssh2

Nov  7 22:35:58 jamesbodine sshd[25813]: Illegal user theplanet from 128.122.20.68

Nov  7 22:35:59 jamesbodine sshd[25803]: Failed password for illegal user theplanet from 128.122.20.68 port 45895 ssh2

Nov  7 22:36:00 jamesbodine sshd[25805]: Failed password for illegal user theplanet from 128.122.20.68 port 45909 ssh2

Nov  7 22:36:00 jamesbodine sshd[25815]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:00 jamesbodine sshd[25817]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:00 jamesbodine sshd[25807]: Failed password for illegal user theplanet from 128.122.20.68 port 45951 ssh2

Nov  7 22:36:01 jamesbodine sshd[25820]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:02 jamesbodine sshd[25811]: Failed password for illegal user theplanet from 128.122.20.68 port 46077 ssh2

Nov  7 22:36:02 jamesbodine sshd[25813]: Failed password for illegal user theplanet from 128.122.20.68 port 46102 ssh2

Nov  7 22:36:02 jamesbodine sshd[25824]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:02 jamesbodine sshd[25827]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:06 jamesbodine sshd[25815]: Failed password for illegal user theplanet from 128.122.20.68 port 46196 ssh2

Nov  7 22:36:06 jamesbodine sshd[25833]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:09 jamesbodine sshd[25817]: Failed password for illegal user theplanet from 128.122.20.68 port 46203 ssh2

Nov  7 22:36:09 jamesbodine sshd[25837]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:10 jamesbodine sshd[25820]: Failed password for illegal user theplanet from 128.122.20.68 port 46241 ssh2

Nov  7 22:36:10 jamesbodine sshd[25824]: Failed password for illegal user theplanet from 128.122.20.68 port 46300 ssh2

Nov  7 22:36:10 jamesbodine sshd[25839]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:10 jamesbodine sshd[25827]: Failed password for illegal user theplanet from 128.122.20.68 port 46312 ssh2

Nov  7 22:36:11 jamesbodine sshd[25841]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:11 jamesbodine sshd[25843]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:11 jamesbodine sshd[25833]: Failed password for illegal user theplanet from 128.122.20.68 port 46477 ssh2

Nov  7 22:36:12 jamesbodine sshd[25845]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:12 jamesbodine sshd[25837]: Failed password for illegal user theplanet from 128.122.20.68 port 46634 ssh2

Nov  7 22:36:14 jamesbodine sshd[25839]: Failed password for illegal user theplanet from 128.122.20.68 port 46690 ssh2

Nov  7 22:36:14 jamesbodine sshd[25848]: Failed password for root from 128.122.20.68 port 46840 ssh2

Nov  7 22:36:15 jamesbodine sshd[25850]: Failed password for root from 128.122.20.68 port 46853 ssh2

Nov  7 22:36:15 jamesbodine sshd[25841]: Failed password for illegal user theplanet from 128.122.20.68 port 46712 ssh2

Nov  7 22:36:15 jamesbodine sshd[25852]: Failed password for root from 128.122.20.68 port 46881 ssh2

Nov  7 22:36:15 jamesbodine sshd[25854]: Failed password for root from 128.122.20.68 port 46885 ssh2

Nov  7 22:36:16 jamesbodine sshd[25847]: Failed password for root from 128.122.20.68 port 46775 ssh2

Nov  7 22:36:16 jamesbodine sshd[25843]: Failed password for illegal user theplanet from 128.122.20.68 port 46722 ssh2

Nov  7 22:36:16 jamesbodine sshd[25856]: Failed password for root from 128.122.20.68 port 46898 ssh2

Nov  7 22:36:16 jamesbodine sshd[25845]: Failed password for illegal user theplanet from 128.122.20.68 port 46746 ssh2

Nov  7 22:36:16 jamesbodine sshd[25859]: Failed password for root from 128.122.20.68 port 46911 ssh2

Nov  7 22:36:16 jamesbodine sshd[25862]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:16 jamesbodine sshd[25861]: Failed password for root from 128.122.20.68 port 46920 ssh2

Nov  7 22:36:16 jamesbodine sshd[25863]: Failed password for root from 128.122.20.68 port 46922 ssh2

Nov  7 22:36:16 jamesbodine sshd[25867]: Failed password for root from 128.122.20.68 port 46932 ssh2

Nov  7 22:36:16 jamesbodine sshd[25869]: Failed password for root from 128.122.20.68 port 46938 ssh2

Nov  7 22:36:17 jamesbodine sshd[25871]: Failed password for root from 128.122.20.68 port 46950 ssh2

Nov  7 22:36:17 jamesbodine sshd[25875]: Failed password for root from 128.122.20.68 port 46958 ssh2

Nov  7 22:36:17 jamesbodine sshd[25873]: Failed password for root from 128.122.20.68 port 46953 ssh2

Nov  7 22:36:17 jamesbodine sshd[25876]: Failed password for root from 128.122.20.68 port 46959 ssh2

Nov  7 22:36:17 jamesbodine sshd[25881]: Failed password for root from 128.122.20.68 port 46969 ssh2

Nov  7 22:36:17 jamesbodine sshd[25879]: Failed password for root from 128.122.20.68 port 46964 ssh2

Nov  7 22:36:18 jamesbodine sshd[25883]: Failed password for root from 128.122.20.68 port 46995 ssh2

Nov  7 22:36:18 jamesbodine sshd[25884]: Failed password for root from 128.122.20.68 port 46996 ssh2

Nov  7 22:36:18 jamesbodine sshd[25887]: Failed password for root from 128.122.20.68 port 47008 ssh2

Nov  7 22:36:18 jamesbodine sshd[25889]: Failed password for root from 128.122.20.68 port 47011 ssh2

Nov  7 22:36:19 jamesbodine sshd[25891]: Failed password for root from 128.122.20.68 port 47032 ssh2

Nov  7 22:36:19 jamesbodine sshd[25893]: Failed password for root from 128.122.20.68 port 47042 ssh2

Nov  7 22:36:19 jamesbodine sshd[25895]: Failed password for root from 128.122.20.68 port 47057 ssh2

Nov  7 22:36:19 jamesbodine sshd[25897]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:19 jamesbodine sshd[25899]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:20 jamesbodine sshd[25862]: Failed password for illegal user theplanet from 128.122.20.68 port 46921 ssh2

Nov  7 22:36:21 jamesbodine sshd[25901]: Failed password for root from 128.122.20.68 port 47120 ssh2

Nov  7 22:36:21 jamesbodine sshd[25903]: Failed password for root from 128.122.20.68 port 47145 ssh2

Nov  7 22:36:22 jamesbodine sshd[25905]: Failed password for root from 128.122.20.68 port 47167 ssh2

Nov  7 22:36:22 jamesbodine sshd[25907]: Failed password for root from 128.122.20.68 port 47181 ssh2

Nov  7 22:36:23 jamesbodine sshd[25897]: Failed password for illegal user theplanet from 128.122.20.68 port 47064 ssh2

Nov  7 22:36:23 jamesbodine sshd[25912]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:23 jamesbodine sshd[25910]: Failed password for root from 128.122.20.68 port 47199 ssh2

Nov  7 22:36:23 jamesbodine sshd[25899]: Failed password for illegal user theplanet from 128.122.20.68 port 47076 ssh2

Nov  7 22:36:24 jamesbodine sshd[25914]: Failed password for root from 128.122.20.68 port 47221 ssh2

Nov  7 22:36:24 jamesbodine sshd[25916]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:24 jamesbodine sshd[25918]: Failed password for root from 128.122.20.68 port 47240 ssh2

Nov  7 22:36:24 jamesbodine sshd[25920]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:25 jamesbodine sshd[25912]: Failed password for illegal user theplanet from 128.122.20.68 port 47210 ssh2

Nov  7 22:36:26 jamesbodine sshd[25922]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:27 jamesbodine sshd[25916]: Failed password for illegal user theplanet from 128.122.20.68 port 47224 ssh2

Nov  7 22:36:27 jamesbodine sshd[25925]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:27 jamesbodine sshd[25920]: Failed password for illegal user theplanet from 128.122.20.68 port 47266 ssh2

Nov  7 22:36:28 jamesbodine sshd[25922]: Failed password for illegal user theplanet from 128.122.20.68 port 47310 ssh2

Nov  7 22:36:29 jamesbodine sshd[25929]: Failed password for root from 128.122.20.68 port 47419 ssh2

Nov  7 22:36:29 jamesbodine sshd[25931]: Failed password for root from 128.122.20.68 port 47435 ssh2

Nov  7 22:36:29 jamesbodine sshd[25925]: Failed password for illegal user theplanet from 128.122.20.68 port 47354 ssh2

Nov  7 22:36:30 jamesbodine sshd[25933]: Failed password for root from 128.122.20.68 port 47454 ssh2

Nov  7 22:36:30 jamesbodine sshd[25935]: Failed password for root from 128.122.20.68 port 47462 ssh2

Nov  7 22:36:30 jamesbodine sshd[25937]: Failed password for root from 128.122.20.68 port 47480 ssh2

Nov  7 22:36:30 jamesbodine sshd[25939]: Failed password for root from 128.122.20.68 port 47485 ssh2

Nov  7 22:36:31 jamesbodine sshd[25927]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:31 jamesbodine sshd[25942]: Failed password for root from 128.122.20.68 port 47498 ssh2

Nov  7 22:36:31 jamesbodine sshd[25944]: Failed password for root from 128.122.20.68 port 47502 ssh2

Nov  7 22:36:31 jamesbodine sshd[25946]: Failed password for root from 128.122.20.68 port 47517 ssh2

Nov  7 22:36:31 jamesbodine sshd[25948]: Failed password for root from 128.122.20.68 port 47527 ssh2

Nov  7 22:36:32 jamesbodine sshd[25950]: Failed password for root from 128.122.20.68 port 47539 ssh2

Nov  7 22:36:32 jamesbodine sshd[25952]: Failed password for root from 128.122.20.68 port 47547 ssh2

Nov  7 22:36:33 jamesbodine sshd[25954]: Failed password for root from 128.122.20.68 port 47558 ssh2

Nov  7 22:36:33 jamesbodine sshd[25956]: Failed password for root from 128.122.20.68 port 47567 ssh2

Nov  7 22:36:33 jamesbodine sshd[25927]: Failed password for illegal user theplanet from 128.122.20.68 port 47381 ssh2

Nov  7 22:36:33 jamesbodine sshd[25959]: Failed password for root from 128.122.20.68 port 47602 ssh2

Nov  7 22:36:34 jamesbodine sshd[25961]: Failed password for root from 128.122.20.68 port 47608 ssh2

Nov  7 22:36:34 jamesbodine sshd[25964]: Illegal user theplanet from 128.122.20.68

Nov  7 22:36:34 jamesbodine sshd[25965]: Failed password for root from 128.122.20.68 port 47616 ssh2

Nov  7 22:36:34 jamesbodine sshd[25968]: Failed password for root from 128.122.20.68 port 47642 ssh2

Nov  7 22:36:35 jamesbodine sshd[25970]: Failed password for root from 128.122.20.68 port 47646 ssh2

Nov  7 22:36:35 jamesbodine sshd[25972]: Failed password for root from 128.122.20.68 port 47670 ssh2

Nov  7 22:36:35 jamesbodine sshd[25975]: Failed password for root from 128.122.20.68 port 47679 ssh2

Nov  7 22:36:36 jamesbodine sshd[25978]: Failed password for root from 128.122.20.68 port 47702 ssh2

Nov  7 22:36:36 jamesbodine sshd[25980]: Failed password for root from 128.122.20.68 port 47709 ssh2

Nov  7 22:36:36 jamesbodine sshd[25964]: Failed password for illegal user theplanet from 128.122.20.68 port 47614 ssh2

Nov  7 22:36:36 jamesbodine sshd[25982]: Illegal user efnet from 128.122.20.68

Nov  7 22:36:37 jamesbodine sshd[25984]: Failed password for root from 128.122.20.68 port 47728 ssh2

Nov  7 22:36:37 jamesbodine sshd[25986]: Failed password for root from 128.122.20.68 port 47749 ssh2

Nov  7 22:36:37 jamesbodine sshd[25988]: Failed password for root from 128.122.20.68 port 47764 ssh2

Nov  7 22:36:38 jamesbodine sshd[25991]: Failed password for root from 128.122.20.68 port 47778 ssh2

Nov  7 22:36:38 jamesbodine sshd[25993]: Failed password for root from 128.122.20.68 port 47787 ssh2

Nov  7 22:36:38 jamesbodine sshd[25995]: Failed password for root from 128.122.20.68 port 47812 ssh2

Nov  7 22:36:39 jamesbodine sshd[25997]: Illegal user efnet from 128.122.20.68

Nov  7 22:36:39 jamesbodine sshd[25982]: Failed password for illegal user efnet from 128.122.20.68 port 47724 ssh2

Nov  7 22:36:39 jamesbodine sshd[25999]: Failed password for root from 128.122.20.68 port 47828 ssh2

Nov  7 22:36:40 jamesbodine sshd[26001]: Illegal user elf from 128.122.20.68

Nov  7 22:36:40 jamesbodine sshd[26003]: Failed password for root from 128.122.20.68 port 47851 ssh2

Nov  7 22:36:40 jamesbodine sshd[26005]: Failed password for root from 128.122.20.68 port 47874 ssh2

Nov  7 22:36:41 jamesbodine sshd[26007]: Failed password for root from 128.122.20.68 port 47894 ssh2

Nov  7 22:36:41 jamesbodine sshd[25997]: Failed password for illegal user efnet from 128.122.20.68 port 47818 ssh2

Nov  7 22:36:41 jamesbodine sshd[26009]: Failed password for root from 128.122.20.68 port 47933 ssh2

Nov  7 22:36:41 jamesbodine sshd[26010]: Illegal user elf from 128.122.20.68

Nov  7 22:36:42 jamesbodine sshd[26001]: Failed password for illegal user elf from 128.122.20.68 port 47842 ssh2

Nov  7 22:36:42 jamesbodine sshd[26013]: Failed password for root from 128.122.20.68 port 47946 ssh2

Nov  7 22:36:43 jamesbodine sshd[26015]: Failed password for root from 128.122.20.68 port 47971 ssh2

Nov  7 22:36:43 jamesbodine sshd[26017]: Failed password for root from 128.122.20.68 port 47992 ssh2

Nov  7 22:36:44 jamesbodine sshd[26019]: Failed password for root from 128.122.20.68 port 48013 ssh2

Nov  7 22:36:44 jamesbodine sshd[26010]: Failed password for illegal user elf from 128.122.20.68 port 47935 ssh2

Nov  7 22:36:44 jamesbodine sshd[26021]: Failed password for root from 128.122.20.68 port 48034 ssh2

Nov  7 22:36:45 jamesbodine sshd[26023]: Illegal user efnet from 128.122.20.68

Nov  7 22:36:47 jamesbodine sshd[26023]: Failed password for illegal user efnet from 128.122.20.68 port 48052 ssh2

Nov  7 22:36:47 jamesbodine sshd[26025]: Illegal user elf from 128.122.20.68

Nov  7 22:36:50 jamesbodine sshd[26025]: Failed password for illegal user elf from 128.122.20.68 port 48167 ssh2
xenneo
Nov 7 2005, 11:16 PM
abuse@theplanet.com is your best bet ^_^, I get about 20+ of these per day icon_smile.gif
xenneo
Nov 8 2005, 12:39 AM
Checking my email, this box tried me too icon_razz.gif

QUOTE
The following are event logs for 157 login failures from 128.122.20.68 on service sshd (all time stamps are GMT -0600):
budway
Nov 8 2005, 02:38 AM
custom ssh port will lower this problems...
Paul
Nov 8 2005, 04:59 AM
QUOTE (budway)
custom ssh port will lower this problems...

Firewalling off port 22 except for trusted IP's will solve the problem.
klaude
Nov 8 2005, 12:45 PM
QUOTE (Paul)
Firewalling off port 22 except for trusted IP's will solve the problem.


Thats a double edged sword. It can lock you out your server if you're in an "untrusted" place. Suppose you're at a friend's house and Apache tanks? icon_wink.gif
AreYouServed
Nov 8 2005, 12:45 PM
We get a number of Brute Force reports daily.

Normally we contact the network admin for the IP where it originates. Sometimes we get responses...sometimes we don't.
James Erickson
Nov 8 2005, 12:59 PM
Even though they are using our name, the ip address does not belong to us:
-bash-2.05b$ whois 128.122.20.68

OrgName: New York University
OrgID: NYU
Address: Academic Computing Facility
Address: 251 Mercer Street
City: New York
StateProv: NY
PostalCode: 10012
Country: US

RTechHandle: ZN68-ARIN
RTechName: New York University
RTechPhone: +1-212-998-3431
RTechEmail: NOC@nyu.edu

You can notify our abuse department, but I would recommend notifying their contact, as they are the only ones that can actually take action against the owner of the ip address.
kfukasawa
Nov 8 2005, 01:20 PM
You may also want to consider blocking those two IPs in particular. It's not an ultimate solution, but at least they won't be able to brute force you from those IPs. icon_confused.gif
knalb
Nov 12 2005, 09:28 PM
if you really want to get paranoid, you could always switch to require port knocking (my favoriate.. heh)
fpscops.com
Nov 13 2005, 08:30 AM
Hey thats my ip. icon_razz.gif
xenneo
Nov 13 2005, 10:35 AM
QUOTE (fpscops.com)
Hey thats my ip. icon_razz.gif
/me hides
ZeusChicago
Nov 26 2005, 12:58 AM
Thanks! I did a trace afterword and saw it was not a sm/pl ip, but I just wanted to doublecheck icon_cool.gif

I have had a windows server here forevery, but this unix box I picked up is my first dive into the unix world, so I double-check and triplecheck everything before I make a move icon_redface.gif

Z
cprompt
Nov 26 2005, 02:27 AM
QUOTE (Zeus)
I double-check and triplecheck everything before I make a move  :oops:

Nothing to be ashamed of there, that's good advice!
ghideout
Dec 22 2005, 01:32 PM
I tend to use plesk for this. I block all untrusted ports, and if I'm somewhere other than home or work I log into plesk and allow the IP temporarily. Works for me.
hulkster
Dec 22 2005, 10:58 PM
Ditto previous post - run ssh on something other than port 22. You won't see near as many knocks on the door ... and you'll be able to get to your server from your friend's house.

Tastes great AND less filling! ;-)
Guspaz
Dec 31 2005, 12:15 AM
Use Hamachi, and then block all IPs except the 5.x.x.x space icon_wink.gif

The problem is that if the copy of Hamachi on your server fails for some reason, you're locked out.

An alternative is to only allow SSH/FTP/etc from 5.x.x.x and your main home IP(s). That way, you can log in abroad via Hamachi, or at home from your IP, but nobody else can try to connect.

Hamachi, BTW, is an encrypted peer-to-peer VPN solution that tunnels through most NAT and firewalls without modification. Because Hamachi ignores data from clients that are not in any of the same Hamachi networks (Password protected groups of Hamachi clients) as it is, only you decide who can send data to the server.

http://www.hamachi.cc

Pretty interesting stuff. I used it to play a game of Warhammer 40k: Dawn of War the other day, and it worked admirably.
X-Istence
Dec 31 2005, 12:58 AM
CODE
#!/usr/bin/perl -w

#

# Author: Bert JW Regeer

# Created: Nov 27, 2005

# Version: 0.1

# Descrip: Uses pf or any other program to add an IP address to a blocked

#          list that is not allowed to access neither ftp or ssh, two things

#          that could be used to gain unauthorized access to the system by

#          guessing usernames. SSHD is more vulnerable, so we monitor that

#          first.



#   Copyright (c) 2004, Geoffrey Garside

#   Copyright (c) 2005, Bert JW Regeer

#   All rights reserved.

#

#   Redistribution and use in source and binary forms, with or

#   without modification, are permitted provided that the following

#   conditions are met:

#

#     o Redistributions of source code must retain the above

#       copyright notice, this list of conditions and the following

#       disclaimer.

#     o Redistributions in binary form must reproduce the above

#       copyright notice, this list of conditions and the following

#       disclaimer in the documentation and/or other materials

#       provided with the distribution.

#     o Neither the name of the Geoffrey Garside nor the names of its

#       contributors may be used to endorse or promote products

#       derived from this software without specific prior written

#       permission.

#

#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

#   FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

#   COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,

#   INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,

#   BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

#   LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

#   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

#   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

#   ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

#   POSSIBILITY OF SUCH DAMAGE.



# First version came as audit_auth written by Geoffrey Garside from http://geffy.co.uk/

# it was modified to automatically block IP's by Bert JW Regeer



use strict;

package auditban;

# Start the program

&run();     # run, go, process



# Hashes to store the kind of error

# If the username is wrong, you get 3 chances to try before being blocked

# If password being used is wrong for a user you get 10 chances before being blocked



my (@user, @invalid);



sub run {



       while (<>) {

               # fancy a quick munch

               chomp;

 

               # only search for sshd entries

               if (/sshd/) {

                       my $username;

                       my $ip;

                       if (/Failed/) {

                               # Get IP address they were coming from, as well as the username that failed

                               if (/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/) {

                                       $ip = $&;

                               }

                               if (/invalid user/) {

                                       next;

                               }

                               if (/Failed .*? for ([a-zA-Z0-9_-]*)/) {

                                       $username = $1;

                               }

                               &addentry($ip, $username, "failed");

                               next;

                       }

                       

                       if (/Invalid/) {

                               # Get IP address they were coming from, as well as the username that is invalid

                               if (/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/) {

                                       $ip = $&;

                               }

                               if (/Invalid user ([a-zA-Z0-9_-]*)/) {

                                       $username = $1;

                               }

                               &addentry($ip, $username, "invalid");

                               next;

                       }



                       if (/Accepted/) {

                               if (/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/) {

                                       $ip = $&;

                               }

                               if (/Accepted .*? for ([a-zA-Z0-9_-]*)/) {

                                       $username = $1;

                               }

                               &removeentry($ip, $username);

                               next;

                       }

                }

       }

}



sub addentry {

       our %user;

       our %invalid;

       my ($ip, $username, $type) = @_;



       if ($type eq "failed") {

               # Fine, the user failed his or her password, they get a total of 10 tries before they are blocked. Basically an infinite times if from different IP's.

               if (exists $user{$ip}) {

                       $user{$ip} += 1;

               }

               else {

                       $user{$ip} = 1;

               }

               print STDERR << "EOF";

$username from $ip has $user{$ip} invalid logins out of 10

EOF

               if ($user{$ip} == 10) {

                       &banip($ip);

               }

       }

       if ($type eq "invalid") {

               # This person has three tries to get a correct username otherwise they are blocked

               if (exists $invalid{$ip}) {

                       $invalid{$ip} += 1;

               }

               else {

                       $invalid{$ip} = 1;

               }

               print STDERR << "EOF";

Idiot from $ip has tried $username and has $invalid{$ip} bad logins out of 3

EOF

               if ($invalid{$ip} == 3) {

                       &banip($ip);

               }

       }

}



sub removeentry {

       our %user;

       my ($ip, $username) = @_;



       if (exists $user{$ip}) {

               $user{$ip} -= 1;

       }

       else {

               $user{$ip} = 0;

       }

       print STDERR << "EOF";

$username from $ip has $user{$ip} invalid logins. Just logged in successfully!

EOF

}



sub banip {

       my ($ip) = @_;

       my $bancommand = "/sbin/pfctl -T add -t accountout $ip 2>&1 |";

       open(BAN, $bancommand);

       while (<BAN>) {

               if (/1/1 addresses added./) {

                       print STDERR << "EOF";

We banned someone at $ip.

EOF

               }

       }

       close(BAN);

}


edit the $bancommand at the bottom to use the correct tool to add a ban to the firewall list.

Works extremely well for me. Blocks IP's that have the following:

One user acccount, 10 wrong passwords
3 invalid usernames from 1 account

If an IP has 5 wrong passwords for an account, and then a valid login, 1 gets removed, making it 4 wrong passwords.

Run it like this:

tail -F /var/log/auth.log | perl auditban

The logs it spits out are like the following:

CODE
@4000000043b372502ae84a84 booyah from 203.114.179.122 has 0 invalid logins. Just logged in successfully!

@4000000043b3784824e2600c booyah from 203.114.179.122 has -1 invalid logins. Just logged in successfully!

@4000000043b578a416be8474 sexy from 86.128.185.69 has 0 invalid logins. Just logged in successfully!

@4000000043b5f7db07196bc4 Idiot from 66.165.237.192 has tried admin and has 1 bad logins out of 3

@4000000043b5f7db109a9e34 Idiot from 66.165.237.192 has tried admin and has 2 bad logins out of 3

@4000000043b5f7db3345445c Idiot from 66.165.237.192 has tried vhbackup and has 3 bad logins out of 3

@4000000043b5f7db34369d84 We banned someone at 66.165.237.192.

@4000000043b5f7dc02c2e6cc Idiot from 66.165.237.192 has tried vhbackup and has 4 bad logins out of 3

@4000000043b5fa5e02551584 root from 210.180.187.145 has 1 invalid logins out of 10

@4000000043b5fa5e04f4b31c root from 210.180.187.145 has 2 invalid logins out of 10

@4000000043b5fa5e1c8552ac root from 210.180.187.145 has 3 invalid logins out of 10

@4000000043b5fa5e1f347cbc root from 210.180.187.145 has 4 invalid logins out of 10

@4000000043b5fa5f020b6e0c root from 210.180.187.145 has 5 invalid logins out of 10

@4000000043b5fa5f07d0733c root from 210.180.187.145 has 6 invalid logins out of 10

@4000000043b5fa5f09740d34 root from 210.180.187.145 has 7 invalid logins out of 10

@4000000043b5fa5f1cdaecbc root from 210.180.187.145 has 8 invalid logins out of 10

@4000000043b5fa5f1d9904cc root from 210.180.187.145 has 9 invalid logins out of 10

@4000000043b5fa5f23102c64 root from 210.180.187.145 has 10 invalid logins out of 10

@4000000043b5fa5f237a448c We banned someone at 210.180.187.145.


Timestamp is from running it through multilog and keeping an eye on it with DJB's supervise.

list of IP's blocked so far:

CODE
  61.183.248.130

  61.219.45.226

  62.70.14.73

  64.65.102.249

  66.84.88.174

  66.165.237.192

  82.226.217.40

  84.244.11.183

  141.153.179.45

  201.25.30.131

  203.124.149.168

  210.180.187.145

  211.121.160.90

  216.127.68.64

  219.84.147.27

  219.130.221.33
KTFCC
Jan 5 2006, 05:48 PM
thanks for the tip copy paste do soon. Not that i have much of a problem with brute force attacks i run ssh on another port.(HIGHLY RECOMENDED to avoid anoyance.)


Good Security script can help you do that


OR
Change the SSH port

works like a wonder.
X-Istence
Jan 6 2006, 05:42 AM
Just a note, might have to replace the if (/Invalid/) with if (/Illegal/), and a few lines below that as well from invalid to illegal, depending on the versions of OpenSSH used, on my BSD system they recently changed from Illegal to Invalid.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.