Server attack, how to fix it
Looks like the server is attacked. Contents of /var/log/auth.log are as follows. Its trying to ssh with all these username, how can I shut it off. The server is Ubuntu.
Feb 22 16:29:15 server sshd[23413]: Failed password for invalid user mirror from 220.132.192.220 port 43881 ssh2
Feb 22 16:29:15 server sshd[23414]: Failed password for invalid user justice from 220.132.192.220 port 43882 ssh2
Feb 22 16:29:15 server sshd[23416]: Failed password for invalid user london from 220.132.192.220 port 43885 ssh2
Feb 22 16:29:15 server sshd[23415]: Failed password for invalid user justice from 220.132.192.220 port 43884 ssh2
Feb 22 16:29:17 server sshd[23421]: Invalid user oxford from 203.66.115.43
Feb 22 16:29:17 server sshd[23421]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43
Feb 22 16:29:17 server sshd[23422]: Invalid user london from 203.66.115.43
Feb 22 16:29:17 server sshd[23422]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43
Feb 22 16:29:17 server sshd[23424]: Invalid user london from 203.66.115.43
Feb 22 16:29:17 server sshd[23424]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23424]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43
Feb 22 16:29:17 server sshd[23423]: Invalid user mirror from 203.66.115.43
Feb 22 16:29:17 server sshd[23423]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23423]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43
Feb 22 16:29:19 server sshd[23421]: Failed password for invalid user oxford from 203.66.115.43 port 43959 ssh2
Feb 22 16:29:19 server sshd[23422]: Failed password for invalid user london from 203.66.115.43 port 43962 ssh2
Feb 22 16:29:19 server sshd[23424]: Failed password for invalid user london from 203.66.115.43 port 43967 ssh2
Feb 22 16:29:19 server sshd[23423]: Failed password for invalid user mirror from 203.66.115.43 port 43964 ssh2
Feb 22 16:29:20 server sshd[23429]: Invalid user pacific from 220.132.192.220
Feb 22 16:29:20 server sshd[23429]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23429]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220
Feb 22 16:29:21 server sshd[23430]: Invalid user mirror from 220.132.192.220
Feb 22 16:29:21 server sshd[23430]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220
Feb 22 16:29:21 server sshd[23432]: Invalid user oxford from 220.132.192.220
Feb 22 16:29:21 server sshd[23431]: Invalid user mirror from 220.132.192.220
Feb 22 16:29:21 server sshd[23432]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23432]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220
Feb 22 16:29:21 server sshd[23431]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220
Feb 22 16:29:22 server sshd[23429]: Failed password for invalid user pacific from 220.132.192.220 port 44073 ssh2
Feb 22 16:29:22 server sshd[23430]: Failed password for invalid user mirror from 220.132.192.220 port 44078 ssh2
Feb 22 16:29:23 server sshd[23432]: Failed password for invalid user oxford from 220.132.192.220 port 44082 ssh2
Feb 22 16:29:23 server sshd[23431]: Failed password for invalid user mirror from 220.132.192.220 port 44079 ssh2
Feb 22 16:29:24 server sshd[23437]: Invalid user pizza from 202.39.75.16
Feb 22 16:29:24 server sshd[23437]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16
Feb 22 16:29:24 server sshd[23438]: Invalid user oxford from 202.39.75.16
Feb 22 16:29:24 server sshd[23438]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16
Feb 22 16:29:24 server sshd[23441]: Invalid user oxford from 202.39.75.16
Feb 22 16:29:24 server sshd[23441]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16
Feb 22 16:29:24 server sshd[23440]: Invalid user pacific from 202.39.75.16
Feb 22 16:29:24 server sshd[23440]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16
Feb 22 16:29:26 server sshd[23437]: Failed password for invalid user pizza from 202.39.75.16 port 44173 ssh2
Feb 22 16:29:27 server sshd[23438]: Failed password for invalid user oxford from 202.39.75.16 port 44184 ssh2
Feb 22 16:29:27 server sshd[23441]: Failed password for invalid user oxford from 202.39.75.16 port 44186 ssh2
Feb 22 16:29:27 server sshd[23440]: Failed password for invalid user pacific from 202.39.75.16 port 44185 ssh2
Feb 22 16:29:28 server sshd[23445]: Invalid user quality from 220.132.192.198
Feb 22 16:29:28 server sshd[23445]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:28 server sshd[23445]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.198
Feb 22 16:29:29 server sshd[23446]: Invalid user pacific from 220.132.192.198
Feb 22 16:29:29 server sshd[23446]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:29 server sshd[23446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.198
Feb 22 16:29:29 server sshd[23448]: Invalid user pacific from 220.132.192.198
Feb 22 16:29:29 server sshd[23448]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:29 server sshd[23448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.198
Feb 22 16:29:29 server sshd[23450]: Invalid user pizza from 220.132.192.198
Feb 22 16:29:29 server sshd[23450]: pam_unix(sshd:auth): check pass; user unknown
Been brought up a few times I believe:
Securing SSH on Linux Ubuntu
Hundreds of failed ssh logins
BTW these attempts are VERY common, usually automated scripts.
Install denyhosts
.
apt-get install denyhosts
Deny hosts is a daemon that watches your servers logs, generally /var/log/secure
, for suspicious access patterns and if found, adds the IP addresses of curious visitors to /etc/hosts.deny
causing sshd
to block them outright.
It also has a mode that allows it to exchange the local block list with lists from other machines, in a way, crowdsourcing known bad IP addresses. Similar to the way RBL lists work for SMTP.
I would also recommend you disable keyboard-interactive
authentication on your ssh daemon to prevent someone accidentally creating a test user account, with an easy to guess password.