Server attack, how to fix it

ubuntu

Looks like the server is attacked. Contents of /var/log/auth.log are as follows. Its trying to ssh with all these username, how can I shut it off. The server is Ubuntu.

    Feb 22 16:29:15 server sshd[23413]: Failed password for invalid user mirror from 220.132.192.220 port 43881 ssh2
Feb 22 16:29:15 server sshd[23414]: Failed password for invalid user justice from 220.132.192.220 port 43882 ssh2
Feb 22 16:29:15 server sshd[23416]: Failed password for invalid user london from 220.132.192.220 port 43885 ssh2
Feb 22 16:29:15 server sshd[23415]: Failed password for invalid user justice from 220.132.192.220 port 43884 ssh2
Feb 22 16:29:17 server sshd[23421]: Invalid user oxford from 203.66.115.43
Feb 22 16:29:17 server sshd[23421]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43 
Feb 22 16:29:17 server sshd[23422]: Invalid user london from 203.66.115.43
Feb 22 16:29:17 server sshd[23422]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43 
Feb 22 16:29:17 server sshd[23424]: Invalid user london from 203.66.115.43
Feb 22 16:29:17 server sshd[23424]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23424]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43 
Feb 22 16:29:17 server sshd[23423]: Invalid user mirror from 203.66.115.43
Feb 22 16:29:17 server sshd[23423]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:17 server sshd[23423]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.66.115.43 
Feb 22 16:29:19 server sshd[23421]: Failed password for invalid user oxford from 203.66.115.43 port 43959 ssh2
Feb 22 16:29:19 server sshd[23422]: Failed password for invalid user london from 203.66.115.43 port 43962 ssh2
Feb 22 16:29:19 server sshd[23424]: Failed password for invalid user london from 203.66.115.43 port 43967 ssh2
Feb 22 16:29:19 server sshd[23423]: Failed password for invalid user mirror from 203.66.115.43 port 43964 ssh2
Feb 22 16:29:20 server sshd[23429]: Invalid user pacific from 220.132.192.220
Feb 22 16:29:20 server sshd[23429]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23429]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220 
Feb 22 16:29:21 server sshd[23430]: Invalid user mirror from 220.132.192.220
Feb 22 16:29:21 server sshd[23430]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220 
Feb 22 16:29:21 server sshd[23432]: Invalid user oxford from 220.132.192.220
Feb 22 16:29:21 server sshd[23431]: Invalid user mirror from 220.132.192.220
Feb 22 16:29:21 server sshd[23432]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23432]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220 
Feb 22 16:29:21 server sshd[23431]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:21 server sshd[23431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.220 
Feb 22 16:29:22 server sshd[23429]: Failed password for invalid user pacific from 220.132.192.220 port 44073 ssh2
Feb 22 16:29:22 server sshd[23430]: Failed password for invalid user mirror from 220.132.192.220 port 44078 ssh2
Feb 22 16:29:23 server sshd[23432]: Failed password for invalid user oxford from 220.132.192.220 port 44082 ssh2
Feb 22 16:29:23 server sshd[23431]: Failed password for invalid user mirror from 220.132.192.220 port 44079 ssh2
Feb 22 16:29:24 server sshd[23437]: Invalid user pizza from 202.39.75.16
Feb 22 16:29:24 server sshd[23437]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16 
Feb 22 16:29:24 server sshd[23438]: Invalid user oxford from 202.39.75.16
Feb 22 16:29:24 server sshd[23438]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16 
Feb 22 16:29:24 server sshd[23441]: Invalid user oxford from 202.39.75.16
Feb 22 16:29:24 server sshd[23441]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16 
Feb 22 16:29:24 server sshd[23440]: Invalid user pacific from 202.39.75.16
Feb 22 16:29:24 server sshd[23440]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:24 server sshd[23440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.39.75.16 
Feb 22 16:29:26 server sshd[23437]: Failed password for invalid user pizza from 202.39.75.16 port 44173 ssh2
Feb 22 16:29:27 server sshd[23438]: Failed password for invalid user oxford from 202.39.75.16 port 44184 ssh2
Feb 22 16:29:27 server sshd[23441]: Failed password for invalid user oxford from 202.39.75.16 port 44186 ssh2
Feb 22 16:29:27 server sshd[23440]: Failed password for invalid user pacific from 202.39.75.16 port 44185 ssh2
Feb 22 16:29:28 server sshd[23445]: Invalid user quality from 220.132.192.198
Feb 22 16:29:28 server sshd[23445]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:28 server sshd[23445]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.198 
Feb 22 16:29:29 server sshd[23446]: Invalid user pacific from 220.132.192.198
Feb 22 16:29:29 server sshd[23446]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:29 server sshd[23446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.198 
Feb 22 16:29:29 server sshd[23448]: Invalid user pacific from 220.132.192.198
Feb 22 16:29:29 server sshd[23448]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 16:29:29 server sshd[23448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.132.192.198 
Feb 22 16:29:29 server sshd[23450]: Invalid user pizza from 220.132.192.198
Feb 22 16:29:29 server sshd[23450]: pam_unix(sshd:auth): check pass; user unknown

Been brought up a few times I believe:

Securing SSH on Linux Ubuntu

Hundreds of failed ssh logins

BTW these attempts are VERY common, usually automated scripts.


Install denyhosts.

apt-get install denyhosts

Deny hosts is a daemon that watches your servers logs, generally /var/log/secure, for suspicious access patterns and if found, adds the IP addresses of curious visitors to /etc/hosts.deny causing sshd to block them outright.

It also has a mode that allows it to exchange the local block list with lists from other machines, in a way, crowdsourcing known bad IP addresses. Similar to the way RBL lists work for SMTP.

I would also recommend you disable keyboard-interactive authentication on your ssh daemon to prevent someone accidentally creating a test user account, with an easy to guess password.

Related

ThreadLocal & Memory Leak
How to get netbios name from network computer? (Linux)
Should a sysadmin contractor charge overtime for off-peak hours? [closed]
Problem with slow hard disk
Ubuntu syslog does not show previous days's logs
RtKit on my ubuntu?
JBOD: any system that can do RAID-0 can do JBOD?
How to connect to a IPsec VPN with Preshared key and Xauth from Linux?
How would I build an LDAP query for AD that returns all users in a particular security group whose accounts are not disabled?
What creative sysadmin resumes have you seen / made? [closed]
Mac OS Snow Leopard: Why does my mysql.default_socket value not change in my phpinfo() page?
Unable to start MongoDB on Ubuntu 10.10