0

I'm running an Ubuntu 20.04 server, and when I look at the logs, I constantly see strings of entries like this:

Jan 14 23:04:51 dell-server sshd[578861]: Invalid user carlos from 14.232.160.213 port 32832
Jan 14 23:04:51 dell-server sshd[578861]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 23:04:51 dell-server sshd[578861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=14.232.160.213
Jan 14 23:04:52 dell-server sshd[578861]: Failed password for invalid user carlos from 14.232.160.213 port 32832 ssh2
Jan 14 23:04:54 dell-server sshd[578861]: Received disconnect from 14.232.160.213 port 32832:11: Bye Bye [preauth]
Jan 14 23:04:54 dell-server sshd[578861]: Disconnected from invalid user carlos 14.232.160.213 port 32832 [preauth]
Jan 14 23:05:09 dell-server sshd[579042]: Invalid user admin from 41.221.168.167 port 37492
Jan 14 23:05:09 dell-server sshd[579042]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 23:05:09 dell-server sshd[579042]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.221.168.167
Jan 14 23:05:11 dell-server sshd[579042]: Failed password for invalid user admin from 41.221.168.167 port 37492 ssh2
Jan 14 23:05:11 dell-server sshd[579042]: Received disconnect from 41.221.168.167 port 37492:11: Bye Bye [preauth]
Jan 14 23:05:11 dell-server sshd[579042]: Disconnected from invalid user admin 41.221.168.167 port 37492 [preauth]

It's always for random usernames that don't even exist on my system. Is someone trying to brute force hack into my server via SSH?

Would anyone have suggestions on how to mitigate these attacks and automatically ban the IP addresses that are being used?

JmaJeremy
  • 9
  • 1

2 Answers2

4

Yes, those are bad-guy attempts to hack your system. Those are not technically brute-force attempts, but they are not well wishes either.

Pro Tip: Never use password-based authentication on an internet-connected system. Use keys only. Since keys cannot be brute-forced during your lifetime, further action to ban the sources is generally unnecessary (unless the volume of attempts are affecting your server's performance to legitimate requests - that's a DOS attack!)

Observation: You are wise to audit your auth.log. Good job!

user535733
  • 62,253
0

Here is an article I found that might help https://www.techrepublic.com/article/how-to-block-ssh-attacks-on-linux-with-denyhosts/

Good Parts: Denyhosts is an open source, log-based intrusion prevention security program for servers, which allows you to whitelist servers you never want to be blocked and can even alert you, via email, of any possible intrusion detection.

Installation

The installation of denyhosts is quite simple. Log into your Ubuntu Server (or open a terminal window) and issue the following command:

sudo apt-get install denyhosts -y

That's all there is to the installation. Configuration

The first thing to do is whitelist any machine you want to ensure is never blocked. This is crucial, so you don't wind up accidentally getting blocked on a valid desktop or server (Don't skip it). To whitelist a machine, issue the command:

sudo nano /etc/hosts.allow

At the bottom of that file, add any machine for the whitelisting, like so:

sshd: IP_ADDRESS

Where IP_ADDRESS is the address to be whitelisted.

Add as many addresses as you want, one per line. So, if you're whitelisting a number of hosts, those entries would look like:

sshd: 192.168.1.1 sshd: 192.168.1.10 sshd: 192.168.1.100

Save and close that file.

Now we configure denyhosts, from within the denyhosts.conf file. To do this, open the denyhosts config file with the command:

sudo nano /etc/denyhosts.conf

The first thing to configure (optionally) is the limits for login attempts. You'll find the following configuration options: Block each host after a number of failed login attempts

DENY_THRESHOLD_INVALID = 5 Block each host after the number of failed attempts exceeds this value

DENY_THRESHOLD_VALID = 10 Block each attempted failed root login after failed attempts exceed this valueDENY_THRESHOLD_ROOT = 1 Block each host after the number of failed login attempts (for users found in WORK_DIR/restricted-usernames) exceeds this value

DENY_THRESHOLD_RESTRICTED = 1

Although I don't suggest changing those values, if you have a good reason, go ahead and edit them.

Next, you'll want to configure the email alert address. In the same configuration file, look for the line:

ADMIN_EMAIL =

Configure the email address you want to receive those alerts. By default, denyhosts uses the local SMTP delivery method (on port 25). If this doesn't work for you, you can configure the following options (in the denyhosts.conf file) to suit your needs:

SMTP_HOST = SMTP_PORT = SMTP_FROM =

Once you've configured the necessary outgoing email options, save and close the file.

Restart and enable the denyhosts service with the commands:

sudo systemctl restart denyhosts sudo systemctl enable denyhosts

Watching the log file

Out of the box, denyhosts logs to /var/log/auth.log. You can watch that log, in real time, with the command:

tail -f /var/log/auth.log

DrWho32
  • 1
  • 2