Results 1 to 3 of 3

Thread: /var/log/auth.log -->ssh being attacked

  1. #1
    Senior Member
    Join Date
    Jan 2011
    over the under

    Default /var/log/auth.log -->ssh being attacked

    I know this is not directly backtrack related but I figured since it's security related you guys may find it interesting so, mods feel free to remove this if you wish.

    I want to begin by saying I'm just a home user, I don't work for any large corporation or anything like that so to me this came as *somewhat* of a surprise.

    I normally have port 22 forwarded with ssh running on it. This morning I decided to mess with my network and try to attack it remotely, apparently I wasn't the only one.

    I don't know what made me do it, but I decided to do a quick

    cat /var/log/auth.log
    and I quickly noticed 3 other unknown ip addresses had also tried to attack my ssh service just within the last couple days. One of the ip address had just been attacking minutes before I had looked at the log. The others were yesterday before I had tried attacking myself.

    after a quick panic followed by me ripping cords out of the wall... lol I regained my composure and shut down my ssh service, and closed down my forwarded ports. I made a record of the attacks from the auth.log, nmap scans of the attacking addresses, and a reverse ip lookup of the attacking addresses.

    an interesting note..... one of the reverse lookups came back listed on a real time blocking list by sorbs(spam and open relay blocking system)

    im sure the attacker(s) was/were probably behind a proxy but two addresses were traced to china the other was inside the u.s.

    as I said I don't work for a corporation or anything like that so I don't see any reason for me to be targeted... The only thing I can think of is maybe someone just used a service like shodan or a similar search engine and targeted me just because of the fact I had the service running and they thought they may be able to exploit it.

    EDIT: I just thought about another reason for possibly being targeted. A popular search on shodan is webcam... I personally have a security camera setup on my network that would possibly put me under those search results, and bring attention to my ip address.

    two attackers were trying all kinds of random usernames/passwords and the other was only attacking the root account.

    from what I can see in the logs, no one was able to gain access.

    If you're running services like this on your system check your logs more often you might be surprised!

    I personally just play with backtrack as a means of educating myself to further secure my home network, but I know a lot of you guys on are actually security professionals and system admins for large corporations. What do you guys do in these situations. What are your methods for intrusion detection and how should I go about locking down my system.

    also is there anywhere else I should look to make sure no one has gained access, and where would you go from here?

    and questions, comments, or advice are welcome and appreciated
    Last edited by 2901119; 04-24-2011 at 12:33 AM.

  2. #2
    Member ColForbin's Avatar
    Join Date
    Jan 2010

    Default Re: /var/log/auth.log -->ssh being attacked

    Just out of curiosity, are you running your ssh server with password authentication? If so you may want to look into using authentication keys instead.
    "Whatever happened to playing a hunch, Scully? The element of surprise, random acts of unpredictability? If we fail to anticipate the unforeseen or expect the unexpected in a universe of infinite possibilities, we may find ourselves at the mercy of anyone or anything that cannot be programmed, categorized or easily referenced."

  3. #3
    Senior Member
    Join Date
    Jan 2011
    over the under

    Default Re: /var/log/auth.log -->ssh being attacked

    thanks for the reply! yes my ssh server uses a password, I'll definitely look into auth keys.

Similar Threads

  1. Our network is possibly being attacked? Need help
    By McKindling in forum OLD Newbie Area
    Replies: 23
    Last Post: 11-17-2009, 11:04 PM
  2. Help i think im being attacked
    By xeven in forum OLD General IT Discussion
    Replies: 13
    Last Post: 09-17-2009, 08:17 AM
  3. WTF: Metasploit Website attacked by ARP spoofing?!?
    By imported_BaconZombie in forum OLD General IT Discussion
    Replies: 8
    Last Post: 06-04-2008, 07:25 AM
  4. My router is being attacked - some ideas?
    By privatesam in forum OLD Wireless
    Replies: 28
    Last Post: 11-01-2007, 06:06 AM
  5. VNC Auth scanner
    By netpumber in forum OLD BackTrack v2.0 Final
    Replies: 1
    Last Post: 05-29-2007, 08:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts