# Who is trying to break in?



## balanga (Dec 21, 2016)

Is there any way of creating a simple list of IP addresses attempting to break in via SSH?

I guess all the info is stored in /var/log/auth.log.... so does anyone have a ready made`sed`script or somesuch to extract IP addresses?


----------



## sizigee (Dec 21, 2016)

One can always use fail2ban to block them. If you want something to block them as well


----------



## PacketMan (Dec 21, 2016)

I am afraid to ask.  Why might I see this in my logs, considering this is a server and not a desktop.


```
sshd[19066]: Bad protocol version identification 'GET http://www.baidu.com/cache/global/img/gs.gif HTTP/1.1' from 94.102.49.174 port 48239
sshd[19919]: Bad protocol version identification 'GET http://www.baidu.com/cache/global/img/gs.gif HTTP/1.1' from 93.174.93.136 port 56589
```


----------



## sko (Dec 21, 2016)

Thats just standard random noise on the net I'd say - extensively logging everything that comes in (and/or gets rejected/blocked) on ports like ssh is mostly a huge waste of logfile-sanity. If you'd log any connection attempt on SMB/NETBIOS ports logs grow into the multiple-MB ranges within a few minutes and 95% of this traffic is just stupid windows machines directly connected to the internet or behind misconfigured plastic-routers... Keep your logfiles as clean as possible of random noise, so in case there is _really_ something fishy going on, you can detect and analyze it properly.

To get rid of most noise on ports that are actually used/needed (ssh) I use the really nice 'overload' rules for PF to block the standard bruteforce- or scriptkiddy-'attacks' that come in every day. 
On mailservers I also use spamd and put spammers on a tiny bandwidth queue with only a few bytes/sec, so they stick around very long until the connection ends or is forcefully dropped. It seems more and more spam networks use some kind of tarpit detection and avoid wasting open connections to very slow hosts, so they won't come back.


----------



## SirDice (Dec 21, 2016)

It's one of the many bots on the internet that are scanning for vulnerable machines. Apparently this one thinks people are running web servers on port 22 and it's trying to see if it's an open proxy.

As for the original question, use something like security/sshguard or security/py-fail2ban to automatically block incoming connections after a few failed attempts.


----------



## PacketMan (Dec 21, 2016)

Thanks guys.  I have my /etc/ssh/sshd_config slightly modified; to consider valid login only from a select few address, but that's about it.



SirDice said:


> .....use something like security/sshguard or security/py-fail2ban to automatically block incoming connections after a few failed attempts.



I really need to take off my 'big router' guy hat, think with a server guy mindset (hat included), grab a few cold beer, and really go through the ports tree and see what's available for me to use and enjoy.

Thanks again guys.


----------



## balanga (Dec 22, 2016)

PacketMan said:


> Thanks guys.  I have my /etc/ssh/sshd_config slightly modified; to consider valid login only from a select few address, but that's about it.
> 
> 
> 
> ...




I may well disable `sshd` since I've just found I can access my server using vSphere Client.


----------



## balanga (Dec 22, 2016)

SirDice said:


> It's one of the many bots on the internet that are scanning for vulnerable machines. Apparently this one thinks people are running web servers on port 22 and it's trying to see if it's an open proxy.
> 
> As for the original question, use something like security/sshguard or security/py-fail2ban to automatically block incoming connections after a few failed attempts.



Actually I was just trying to find a way of isolating the IP addresses from the logfile to see who was trying to break in. I guess a `sed`script would be most straightforward assuming I can figure out a regular expression for IP addresses....

Hopefully this will help http://stackoverflow.com/questions/14928573/sed-how-to-extract-ip-address-using-sed


----------



## SirDice (Dec 22, 2016)

balanga said:


> Actually I was just trying to find a way of isolating the IP addresses from the logfile to see who was trying to break in.


Please note that most of these "attacks" come from infected servers. Their owners have no clue their server is running malware.


----------



## balanga (Dec 22, 2016)

I thought it was Vladimir Putin


----------



## lostpacket (Feb 26, 2017)

Change the default port from 22 to something else, ie. 4522 which will evade a lot of scripts. Install fail2ban to catch the others, change the default settings on fail2ban from 10 minute ban or whatever to 30 days, even more. Modify sshd to disable password logins, use key to login. Will cut down on a lot of "unwanted" visitors.


----------



## linux->bsd (Feb 26, 2017)

balanga said:


> Is there any way of creating a simple list of IP addresses attempting to break in via SSH? .... So does anyone have a ready made`sed`script or somesuch to extract IP addresses?



We use a variant of this at work quite often:
`</var/log/auth.log grep -oE '([[:digit:]]+\.){3}[[:digit:]]+' | sort -rn | uniq | while read ipaddr; do fetch --quiet -o - http://ipinfo.io/${ipaddr}/json; done`

Of course, on your home PC you're probably going to get a lot of local IP addresses, but http://ipinfo.io/ handles that pretty seamlessly anyway.


```
[root@freebsd_pc ~]# < /var/log/auth.log grep -oE '([[:digit:]]+\.){3}[[:digit:]]+' | sort -rn | uniq | while read ipaddr; do fetch --quiet -o - http://ipinfo.io/${ipaddr}/json; done
{
  "ip": "192.168.15.223",
  "bogon": true
}{
  "ip": "0.0.0.0",
  "bogon": true
}[root@freebsd_pc ~]# fetch --quiet -o - http://ipinfo.io/8.8.8.8/json
{
  "ip": "8.8.8.8",
  "hostname": "google-public-dns-a.google.com",
  "city": "Mountain View",
  "region": "California",
  "country": "US",
  "loc": "37.3860,-122.0838",
  "org": "AS15169 Google Inc.",
  "postal": "94035"
}
```
BTW, that www.baidu.com entry in PacketMan's post is China's equivalent to Mountain View's Google. That searchbot and a few others index the worldwideweb so your search results don't return NULL results.


----------



## Deleted member 9563 (Feb 26, 2017)

If you're not getting a solid wall of this stuff, it's time to check if the server is plugged in. My take is to make PermitRootLogin no, limit attempts to 3, install fail2ban. Then move on to the next project.


----------



## Phishfry (Feb 26, 2017)

security/denyhosts has the ability to email a report.

/etc/denyhosts.conf
################################################## #####################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = localhost
SMTP_PORT = 25


----------



## Phishfry (Feb 26, 2017)

Some more features of security/denyhosts

#######################################################################
#
# On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming
# traffic using the PF firewall instead of the hosts.deny file
# (aka tcp_wrapper).
# The admin can set up a PF table that is persistent
# and DenyHost can add new addresses to be blocked to that table.
# The TrueOS operating system enables this by default, blocking
# all addresses in the "blacklist" table.
#
# To have DenyHost update the blocking PF table in real time, uncomment
# these next two options. Make sure the table name specificed
# is one created in the pf.conf file of your operating system.
# The PFCTL_PATH variable must point to the pfctl extectuable on your OS.


----------



## leebrown66 (Feb 26, 2017)

I have read that changing your SSHD configuration to allow only trusted keys (ie no password) gets these bots off your case.


----------

