
Is it normal to get hundreds of break-in attempts per day? - splattne
http://serverfault.com/questions/244614/is-it-normal-to-get-hundreds-of-break-in-attempts-per-day
======
jamroom
You can eliminate 99% of these attempted logins by changing your SSH port from
the standard 22 to something else (say 2177 or whatever). Login as root (or
su), open the /etc/ssh/sshd_config file and change the port number. Save your
changes and restart ssh with "/etc/init.d/ssh restart" and you are good to go.
You'll want to update any SSH clients you use to use the proper port (-p
option on command line). Hope this helps!

~~~
cd34
Good grief I hope you never do this. Do NOT use a port > 1023 for anything
that should run as root. If you do, and your machine gets compromised, any
unprivileged user could start an ssh daemon, you might think, oh, why is the
key different, accept it, and they've keylogged your login attempt.

~~~
staunch
I don't disagree in principle. In practice: how did they manage to start their
own daemon on a port sshd is already bound to?

~~~
cd34
Web exploit, get a web shell, crash your ssh daemon somehow, start my own.
Since it is running on a non-privileged port, easy enough to run my own ssh
daemon there.

Crashing the ssh daemon isn't always easy, but, making the job easier for an
attacker because 'obscurity' is considered a good protection scheme in this
case opens up other potential vulnerabilities.

------
epenn
My home firewall catches 20-25 failed login attempts per day, all of which
seem to originate in China. I'm tempted to setup a honeypot that'll show a
fake bash prompt just to see what gets thrown at it. Naturally I assume there
is an elite international force that will stop at nothing to break in and
steal the larger original jpegs of my Facebook photos as well as all of my
college homework. I'm on to you, elite international force!

~~~
nickbp
They're likely more interested in obtaining hops from which to attack other
machines.

~~~
thwarted
Apparently, their appetite for the original, larger copies of photos uploaded
to Facebook and for college homework knows no bounds!1!!

~~~
chc
Why is this upvoted so highly? Am I missing some insight here?

~~~
jefe78
Its called humour. Lolz were had. Enjoy.

------
fretlessjazz
I run Rails and became tired of seeing 404s to standard ASP or PHP software
(such as phpmyadmin), so I added this to our Apache conf:

RewriteRule \\.(asp|aspx|php|jsp)$ - [F,L,NC]

RewriteRule (w00tw00t) - [F,L,NC]

RewriteRule (phpmyadmin) - [F,L,NC]

RewriteRule (php-my-admin) - [F,L,NC]

That cuts off those requests before they hit a Rails process and suck up any
additional resources.

~~~
mfontani
On Lighty, I simply have:

    
    
        url.redirect = (
            "^(.*)php(.*)$" => "http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.37.3.tar.bz2",
            # other stuff
        )
    

I do not use php on the server.. I don't know if these kits end up downloading
the kernel or not, though.

~~~
buro9
Please don't do this... having bots launch a DDoS attack on kernel.org is not
good.

Just throw the request away or return a 404 at the load balancer level.

If you're on Apache use mod_security, if you're not put Varnish in front and
configure it to return simple 404 errors on such pages.

But don't mod_rewrite, redirect or otherwise throw traffic onto someone else's
server, let alone one that will result in a traffic cost for them.

~~~
T-hawk
> Please don't do this... having bots launch a DDoS attack on kernel.org is
> not good.

Yeah, point them at microsoft.com instead! Should be easy to find a hefty
service pack or DirectX install for the bots to hit...

~~~
xorglorb
Even though not all of us like Microsoft, you still shouldn't do this. The
best way to handle this is to send random data at 10b/s and slow down the
bots.

~~~
jokermatt999
It'd be interesting to keep a list of the bots, and randomly redirect the
traffic back at them. My first thought was that this would mess up people who
unknowingly have a bot on their computer, but then I realized this might
actually make them look into getting their computer fixed.

Am I missing something here, or is this actually a decent idea?

~~~
drzaiusapelord
I doubt these bots can handle the redirect request. Its js and I don't see why
someone would code to support it. Maybe someone better informed than me can
say whether curl or wget respect redirect by default.

~~~
aaronblohowiak
JS? 300 http codes cause a redirection without any JS whatsoever.

<http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html>

------
bediger
I'm too lazy and too stupid to put in denyhosts or any of the other anti-
guessing software, but I have put in a 7-second delay on password-
authenticated SSH logins, as per <http://www.aerospacesoftware.com/howtos/ssh-
kiddies.html> That makes my sshd less a honeypot and more a tarpit.

I also put in an output line so I can see what passwords they're guessing.

~~~
tvon
FWIW, denyhosts and mod-security don't seem to require any real additional
configuration beyond just installing them on Ubuntu 10.10 (and copying the
example config for mod-security from /usr/share/doc/mod-security-
common/examples).

------
njharman
I'd say hundreds is not normal. It is order of magnitude too low.

~~~
wtn
How would you define an order of mangitude in this case?

~~~
seiji
At times, a few hundred per minute is "normal."

I prefer port knocking or two factor auth as a solution to brute force
attacks. <http://code.google.com/p/google-authenticator/>

~~~
lsc
eh, disabling password auth solves the problem almost as well.

------
ck2
You MUST try the free and awesome configserver firewall

<http://configserver.com/cp/csf.html>

It's fantastic. Among a million other things, monitors logs for several kinds
failed login attempts and can automagically ban them via iptables (with
timeouts if you so desire).

 _Be sure to donate to keep this fantastic software alive if you use it._

------
tcopeland
As some of the commenters on serverfault suggested, the easiest fix is to just
disable password auth in sshd_config. No need to fool with denyhost's
whitelisting and whatnot, just use public key auth only.

~~~
megamark16
This and changing the port to something non standard is what keeps me sleeping
like a baby at night.

------
mike-cardwell

      sudo apt-get install denyhosts
    

Job done.

~~~
troels
Have never heard of this tool before. Is it a standard thing or is it only for
the clinically paranoid?

~~~
rosser
Just because you're paranoid doesn't mean script kiddies aren't trying to root
your box.

------
jarin
If you're running a Rails server on Ubuntu, protecting your server is as
simple as deploying your app with Moonshine, with the ssh, iptables, and
denyhosts plugins.

It requires maybe 7-10 lines of configuration to have a fairly well-insulated
system:

    
    
      # config/moonshine.yml
      :ssh:
      :port: 9024
      :allow_users:
        - rails
    
      # app/manifests/application_manifest.rb
      configure({
        :denyhosts => { :admin_email => 'admin@example.com' }
      })
      
      recipe :ssh
      recipe :iptables
      recipe :denyhosts

------
idm
Use a VPN (openvpn), and attach sshd to your VPN subnet instead of using
0.0.0.0 or your publicly routable IP. This is also great for any other
services you might want to administer remotely. It's normal to bind your
database/cache to 127.0.0.1, but you can also bind to an IP in your VPN
subnet, which makes it a little easier than tunneling through SSH to access
your database.

------
mbailey
Yes. And I'm sure it's been said: fail2ban

~~~
asnyder
Denyhosts is pretty good too.

------
maratd
There are really two issues here. One is SSH and the other is HTTP.

SSH is easy. Get a static ip or figure out the ip range for your ISP. Drop any
connection not in that IP range using iptables on that port. Done.

HTTP requires more creativity. It really depends on how you have things set
up. I have a honeypot default vhost on Apache. If you enter just the IP
address for the server, you get the honeypot. That's what most of these bots
will hit. The 404 errors caused are very annoying and mess up the logs. On the
honeypot, I have a RewriteRule that rewrites anything that would cause a 404
to index.html which is a blank page.

------
kristofferR
I've noticed this too. Almost immediately after I signed up and created a
hosting account with KnownHost, the hacking attempts started, even before I
had logged in to Cpanel for the first time.

I got an automated email every time somebody failed to log in, so my iPhone
was plinging every few seconds for 30 minutes before I added a filter in GMail
to mark those mails as read. I've since installed fail2ban.

------
eli
I've got a script set up to scan my logs and temporarily ban clearly malicious
IPs. It finds a few hundred new ones each day.

~~~
hvs
fail2ban does a nice job of this.

------
aquarin
I have thousands attempts at my nginx server mostly from China and most of
them checking for free proxy server. I am even convinced it is some sort of
automatic software scanning IP ranges for proxy. Freedom is difficult in some
countries.

~~~
aquarin
If you see requests like: "GET <http://somesite/proxycheck.php>

Try this in Nginx server config: if ($request ~* "^[^ ]+[ ]+[^:]+://" ) {
return 444; }

444 is nonstandard Nginx code that closes the connection without sending any
headers.

------
yalogin
For SSH break-in attempts an easier solution would be to use a random (at
least alpha numeric) userid. These dictionary based attacks only use standard,
most generic login ids.

~~~
JoshTriplett
No need to bother making your userid cryptographically secure; either turn off
passwords or use a secure password. It doesn't matter whether the bots find a
valid username, as long as they can't guess your password.

------
sucuri2
OSSEC (open source) is very good at blocking those. It looks at all your logs
and blocks brute forces via SSH, HTTP, etc...

Link: <http://ossec.net>

------
Vivtek
Yes.

Well - actually, no. Mere hundreds are kind of abnormally low.

------
wingo
I went to look at my logs and realized I forgot both my own and root's
password on my linode. Doh!

~~~
edu
use private/public key to login!!!

~~~
wingo
I do indeed; that's why I had forgotten my password, because I always log in
with my key. Amusing, this!

------
bkaid
I created a free test server on Windows Azure a few weeks ago with remote
desktop access enabled and had failed login attempts within 2 minutes of the
server going live, without publishing the ip address or dns name anywhere.

