Bill MacKenty
Home Computing Teaching Bushcraft Games Writing About
Linux security
Why I love Linux:
I was doing some simple system administration yesterday, and realized someone (most likely a bot) was targeting my server.
1. more /var/log/auth.log revealed several lines that looked like this:
Failed password for invalid user user from 211.155.227.171
2. so I tried grep invalid /var/log/auth.log which revealed this:
Feb 1 20:57:06 grue sshd[5222]: Failed password for invalid user oracle from 211.155.227.171 port 39871 ssh2
Feb 1 20:57:10 grue sshd[5224]: Failed password for invalid user oracle from 211.155.227.171 port 40085 ssh2
Feb 1 20:57:14 grue sshd[5226]: Failed password for invalid user oracle from 211.155.227.171 port 40337 ssh2
Feb 1 20:57:18 grue sshd[5228]: Failed password for invalid user oracle from 211.155.227.171 port 40555 ssh2
Feb 1 20:57:26 grue sshd[5232]: Failed password for invalid user admin from 211.155.227.171 port 40958 ssh2
Feb 1 20:57:30 grue sshd[5234]: Failed password for invalid user admin from 211.155.227.171 port 41160 ssh2
Feb 1 20:57:34 grue sshd[5236]: Failed password for invalid user admin from 211.155.227.171 port 41357 ssh2
Feb 1 20:57:38 grue sshd[5238]: Failed password for invalid user admin from 211.155.227.171 port 41559 ssh2
Feb 1 20:57:41 grue sshd[5240]: Failed password for invalid user admin from 211.155.227.171 port 41749 ssh2
Feb 1 20:57:45 grue sshd[5242]: Failed password for invalid user admin from 211.155.227.171 port 41917 ssh2
Feb 1 20:57:49 grue sshd[5244]: Failed password for invalid user admin from 211.155.227.171 port 42119 ssh2
Feb 1 20:57:53 grue sshd[5246]: Failed password for invalid user admin from 211.155.227.171 port 42321 ssh2
Feb 1 20:57:57 grue sshd[5248]: Failed password for invalid user admin from 211.155.227.171 port 42511 ssh2
Feb 1 20:58:01 grue sshd[5250]: Failed password for invalid user test from 211.155.227.171 port 42721 ssh2
Feb 1 20:58:04 grue sshd[5252]: Failed password for invalid user test from 211.155.227.171 port 42924 ssh2
Feb 1 20:58:08 grue sshd[5254]: Failed password for invalid user test from 211.155.227.171 port 43093 ssh2
Feb 1 20:58:12 grue sshd[5256]: Failed password for invalid user test from 211.155.227.171 port 43291 ssh2
Feb 1 20:58:16 grue sshd[5258]: Failed password for invalid user test from 211.155.227.171 port 43489 ssh2
Feb 1 20:58:20 grue sshd[5260]: Failed password for invalid user test from 211.155.227.171 port 43700 ssh2
Feb 1 20:58:24 grue sshd[5262]: Failed password for invalid user test from 211.155.227.171 port 43889 ssh2
Feb 1 20:58:28 grue sshd[5264]: Failed password for invalid user test from 211.155.227.171 port 44092 ssh2
Feb 1 20:58:32 grue sshd[5266]: Failed password for invalid user anda from 211.155.227.171 port 44295 ssh2
Feb 1 20:58:36 grue sshd[5268]: Failed password for invalid user jb from 211.155.227.171 port 44493 ssh2
Feb 1 20:58:40 grue sshd[5270]: Failed password for invalid user cvsuser from 211.155.227.171 port 44679 ssh2
Feb 1 20:58:45 grue sshd[5272]: Failed password for invalid user cvsuser1 from 211.155.227.171 port 44885 ssh2
Feb 1 20:58:49 grue sshd[5274]: Failed password for invalid user mana from 211.155.227.171 port 45087 ssh2
Feb 1 20:59:01 grue sshd[5280]: Failed password for invalid user vicky from 211.155.227.171 port 45713 ssh2
Feb 1 20:59:05 grue sshd[5282]: Failed password for invalid user setup from 211.155.227.171 port 45927 ssh2
Feb 1 20:59:09 grue sshd[5284]: Failed password for invalid user setup from 211.155.227.171 port 46143 ssh2
Feb 1 20:59:14 grue sshd[5286]: Failed password for invalid user print from 211.155.227.171 port 46359 ssh2
Feb 1 20:59:17 grue sshd[5288]: Failed password for invalid user print from 211.155.227.171 port 46580 ssh2
Feb 1 20:59:21 grue sshd[5290]: Failed password for invalid user raul from 211.155.227.171 port 46773 ssh2
Feb 1 20:59:25 grue sshd[5292]: Failed password for invalid user user1 from 211.155.227.171 port 46983 ssh2
Feb 1 20:59:28 grue sshd[5294]: Failed password for invalid user user from 211.155.227.171 port 47173 ssh2
Feb 1 20:59:33 grue sshd[5296]: Failed password for invalid user user from 211.155.227.171 port 47370 ssh2
Feb 1 20:59:37 grue sshd[5298]: Failed password for invalid user user from 211.155.227.171 port 47584 ssh2
3. Looking at the time stamps, it certainly seems like a normal “guess the user, guess the password” attack. Out of curiosity, I poked around for information about this IP address. Oh look! China!
Location of the IP address
211.155.227.171:
Hangzhou in China.
This IP address is also on several blacklists for brute forcing attacks (of which this is one)
4. Now it simply a matter of blocking this IP address:
iptables -A INPUT -s 211.155.227.171 -j DROP
5. And of course, consistent monitoring and REALLY STRONG PASSWORDS!