Linux Server Breakin Attempts

Heads Up as I am notified my Virtual Linux Server logs have suddenly starting growing much faster than usual.
Also I got a warning that Virtual Memory was Low.

This is the image after things got fixed:
Looking through logs I see torrents of failed login attempts over the SSH (Secure Shell) and FTP port (yes I am trying hard to switch to SFTP but that’s another story) at the rate of 5 per second or more at times.
Several Issues to Note:
 I moved SSHD from default port 22 to 1066 years ago. 
That was not, I thought a ‘well known port’ unless of course someone figures it out.
Had not changed it since. 
– Server auto updates itself regularly and I scan and check it manually now & then.
and there does not appear to be a crack so much as brute force attacks perhaps combined with guesswork.

  • Hackers obviously scanned & found the (years old) ‘new’ port.1066. I since moved it again.
    – Hackers then launched a barrage of brute force attempts with various names and who knows what password on that particular port. (logins fails restricted to 3 per 600s session in /ec/ssh/sshd_config)
    – Interestingly, ‘root’ was never tried (It’s disabled anyway)
    I assume as this could trigger a default alert- But: admin, demo, test etc? Of course.
    – These attacks came from unique IP addresses all over the word. Yes, folks, mainly China and Asia. Russia did not show up per se but then why would it? : )
    Few came from the same source IP or even subnet more than once. RESPONSES:
    – I tried to Ban China in Iptables. Not so easy as it sounds and a poor solution anyway being a majority of the sources, but not all.
    Overfilling Iptables uses up kernel memory and exhausts Virtual Memory : (
    – I setup “fail2ban”, which examines pre determined  log files for fails and acts upon it to ‘ban’ the source using Iptables again.
    which is useless as each attempt was from a new IP. Oh Yes! From literally YEARS ago I suddenly recalled /etc/hosts.allow & /etc/hosts.deny which act on the initial service port connection and CAN check wildcard hostnames by name AND IP.
    So now my rules are: Deny from anywhere EXCEPT couple of my local ISPs. No-one gets in now, regardless, unless their reverse IP name matches ISPs in my area.
  • a good solution would be light on server resources lest the result be a Denial Of Service attack overwhelming the system with blocking rules. 
  • Judging by what’s happening recently  I fear a “Grey Goo Meltdown” of the Internet- I assume MOST of these attacking hosts have themselves been broken into and turned into ‘zombie bots’ attempting to propagate themselves. The ultimate purpose is to obtain a concerted powerful platform running software of the primary attacker’s choosing to launch denial of service attacks on target domains
    These services are For Hire on the Dark Web.Here is a sample log at the end of this post ,
    and I am thankful my slackadaisical  inattention was not more severely punished by the blackhats of the Internet.
    I used to use hosts.allow/deny on EVERYTHING with only minor inconvenience.Security is Interesting & entertaining much like a firework display until you get blasted… : )

Mar 1 03:44:54 s19410066 sshd[5235]: Failed password for invalid user aion from 49.235.69.80 port 55082 ssh2
Mar 1 03:44:54 s19410066 sshd[5237]: Received disconnect from 49.235.69.80: 11: Bye Bye
Mar 1 03:44:57 s19410066 sshd[5348]: Invalid user odoo from 211.193.58.173
Mar 1 03:44:57 s19410066 sshd[5349]: input_userauth_request: invalid user odoo
Mar 1 03:44:57 s19410066 sshd[5348]: pam_unix(sshd:auth): check pass; user unknown
Mar 1 03:44:57 s19410066 sshd[5348]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211.193.58.173
Mar 1 03:44:59 s19410066 sshd[5348]: Failed password for invalid user odoo from 211.193.58.173 port 34944 ssh2
Mar 1 03:44:59 s19410066 sshd[5349]: Received disconnect from 211.193.58.173: 11: Bye Bye
Mar 1 03:45:01 s19410066 sshd[5350]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.79.168.244 user=root
Mar 1 03:45:02 s19410066 proftpd: pam_unix(proftpd:session): session opened for user willowsweather by (uid=0)
Mar 1 03:45:04 s19410066 sshd[5350]: Failed password for root from 202.79.168.244 port 58772 ssh2
Mar 1 03:45:04 s19410066 sshd[5352]: Received disconnect from 202.79.168.244: 11: Bye Bye
Mar 1 03:45:17 s19410066 sshd[5574]: Invalid user jose from 167.172.118.117
Mar 1 03:45:17 s19410066 sshd[5575]: input_userauth_request: invalid user jose
Mar 1 03:45:17 s19410066 sshd[5574]: pam_unix(sshd:auth): check pass; user unknown
Mar 1 03:45:17 s19410066 sshd[5574]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=167.172.118.117
Mar 1 03:45:19 s19410066 sshd[5574]: Failed password for invalid user jose from 167.172.118.117 port 58284 ssh2
Mar 1 03:45:19 s19410066 sshd[5575]: Received disconnect from 167.172.118.117: 11: Bye Bye
Mar 1 03:45:20 s19410066 sshd[5576]: Invalid user admin from 139.59.13.223
Mar 1 03:45:20 s19410066 sshd[5577]: input_userauth_request: invalid user admin
Mar 1 03:45:20 s19410066 sshd[5576]: pam_unix(sshd:auth): check pass; user unknown
Mar 1 03:45:20 s19410066 sshd[5576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.13.223
Mar 1 03:45:22 s19410066 sshd[5576]: Failed password for invalid user admin from 139.59.13.223 port 59480 ssh2
Mar 1 03:45:22 s19410066 sshd[5577]: Received disconnect from 139.59.13.223: 11: Bye Bye
Mar 1 03:45:44 s19410066 sshd[5584]: reverse mapping checking getaddrinfo for 187-45-103-15.mhnet.com.br [187.45.103.15] failed – POSSIBLE BREAK-IN ATTEMPT!
Mar 1 03:45:44 s19410066 sshd[5584]: Invalid user time from 187.45.103.15
Mar 1 03:45:44 s19410066 sshd[5585]: input_userauth_request: invalid user time
Mar 1 03:45:44 s19410066 sshd[5584]: pam_unix(sshd:auth): check pass; user unknown
Mar 1 03:45:44 s19410066 sshd[5584]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.45.103.15
Mar 1 03:45:46 s19410066 proftpd: pam_unix(proftpd:session): session opened for user artol by (uid=0)
Mar 1 03:45:47 s19410066 sshd[5584]: Failed password for invalid user time from 187.45.103.15 port 55849 ssh2
Mar 1 03:45:47 s19410066 sshd[5585]: Received disconnect from 187.45.103.15: 11: Bye Bye
Mar 1 03:45:58 s19410066 sshd[5589]: Invalid user demo from 49.234.60.13
Mar 1 03:45:58 s19410066 sshd[5590]: input_userauth_request: invalid user demo

2 thoughts on “Linux Server Breakin Attempts”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.