See who’s poking your Linux box

By | July 22, 2009

If you’re using SSH and you have your ports wide open to the world, your best bet would be to install fail2ban. If you’re curious though as of whom is trying to get in by bruteforcing your SSH passwords, you might get a clear view with the following command:

grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log

This will verbose a list detailing each break-in attempt that has been made, with the exact date, hour, minute and second of it. It will also display the point of origin of these attempts, in a fashion similar to this one:

Jul 21 13:54:35 brunner sshd[12144]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:38 brunner sshd[12146]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:42 brunner sshd[12152]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:45 brunner sshd[12155]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:49 brunner sshd[12163]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:52 brunner sshd[12165]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:56 brunner sshd[12171]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!

11 thoughts on “See who’s poking your Linux box

  1. kburger

    Or on Fedora, and probably others:
    grep 'POSSIBLE BREAK-IN ATTEMPT' /var/log/secure

    Reply
  2. Tux

    This only checks one specific error, where the reverse IP lookup fails. If you only grep for that, you will miss all the brute force ssh attempts that happen to originate from IPs which do resolve successfully (which in my case is the vast majority)

    Reply
  3. Roger

    I have had a lot of problems with brute force SSH break-in attempts
    I solved it by adding two lines to my iptables (FEDORA) script:

    -A RH-Firewall-1-INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
    -A RH-Firewall-1-INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 240 –hitcoun 2 –rttl –name SSH -j DROP

    The above will allow 2 login attempts every 240 seconds.
    Problem solved…

    Reply
  4. Joe

    @Rodger: yes, that will keep baddies from brute-forcing your ssh password. Unfortunately, it also looks like it will set you up for a denial of service condition. Quite unhandy if you have to SSH into your box while someone’s trying to hack it.

    Reply
  5. Ridgeland

    I use hosts.allow to block all but a few IPs. Then I allow only one user with a name that looks like a password. Then I use public-private keys.

    Prior to this, viewing all of /var/log/auth.log and I found sites hitting every 4 seconds trying root + password, tom + password, jane + password etc.

    Since these changes I only see connection refused for IP…. Haven’t seen any hits from the narrow range of IPs I allow. If they did they would not guess the valid user name, if they did they would not guess the 2048 character key.

    Reply
  6. Roger

    @Joe. Good point. Sorry, I meant to say “The above will allow 2 login attempts every 240 seconds per IP address.”

    So, to date I have not experienced a denial of service, even when the hack attempt is in in progress. I suppose if they spoofed a range of IP addresses there could be a denial of service situation. Generally when tying to hack a SSH port you need to set up a conversion, so spoofing is not an option for the SSH hack to succeed.

    Reply
  7. Craig

    Roger

    I tried to add your 2 lines but I get an error on the 2nd line.

    Cheers

    Reply
  8. James-Carl

    Because it’s supposed to read “–hitcount 2” instead of “–hitcoun 2” (typo).

    Reply
  9. redacted

    redacted@susan:~$ grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
    grep: BREAK-IN: No such file or directory
    grep: ATTEMPT”: No such file or directory
    redacted@susan:~$ sudo !!
    sudo grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
    [sudo] password for redacted:
    grep: BREAK-IN: No such file or directory
    grep: ATTEMPT”: No such file or directory
    /var/log/auth.log:Oct 26 02:44:51 susan sudo: redacted : TTY=pts/0 ; PWD=/home/mgranger ; USER=root ; COMMAND=/bin/grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
    redacted@susan:~$

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *