This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Login SSH2

4 posts / 0 new

Topic locked

Last post

#1 Mon, 12/27/2010 - 11:35

colinkent

Login SSH2

I have noticed a attemted hack and the log file shows:-

Dec 27 15:40:22 hp2 sshd[24142]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root Dec 27 15:40:25 hp2 sshd[24142]: Failed password for root from 222.73.68.13 port 49069 ssh2 Dec 27 15:40:25 hp2 sshd[24143]: Received disconnect from 222.73.68.13: 11: Bye Bye Dec 27 15:40:29 hp2 sshd[24144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root Dec 27 15:40:30 hp2 sshd[24144]: Failed password for root from 222.73.68.13 port 49510 ssh2 Dec 27 15:40:30 hp2 sshd[24145]: Received disconnect from 222.73.68.13: 11: Bye Bye Dec 27 15:40:33 hp2 sshd[24146]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root Dec 27 15:40:35 hp2 sshd[24146]: Failed password for root from 222.73.68.13 port 49843 ssh2 Dec 27 15:40:36 hp2 sshd[24147]: Received disconnect from 222.73.68.13: 11: Bye Bye Dec 27 15:40:39 hp2 sshd[24148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root Dec 27 15:40:41 hp2 sshd[24148]: Failed password for root from 222.73.68.13 port 50227 ssh2 Dec 27 15:40:41 hp2 sshd[24149]: Received disconnect from 222.73.68.13: 11: Bye Bye

What I am no sure about is ssh2 and why the port is random or is this the originating port? I have ssh setup but in the firewall settings it is locked to my IP address? Can any one tell me how to lock this down?

Is there any way if a virtualmin password has been entered incorrectally so many time can the user be automattically black listed??

Thanks Colin

#2 Mon, 12/27/2010 - 12:43

Locutus

My assumption is that the "random port" is the source port number used by the remote system to connect to your port 22, and SSH2 is the protocol version (there's two major versions of SSH, SSH1 and SSH2).

Locking stuff like this down is a fight against windmills. Let them try to guess your passwords - you can't keep them from doing so, and if your passwords are sufficiently secure, there's no danger.

The easiest way to reduce the amount of log entries like these is to use a non-standard port for SSH.

#3 Mon, 12/27/2010 - 13:19

colinkent

Yes Locutus you are correct they are tring brute force on SFTP. I have seen settings in Webmin Configuration/Authentication there is a setting for block host with x number of fail logins. Dose this apply to FTP or just webmin login? as this dose not seem to be working?

Thanks Colin

#4 Tue, 12/28/2010 - 17:16

Locutus

It most likely only applies to Webmin. If at all, an appropriate setting for SSH could be found in the SSH Server module, though I'm not aware that the usual SSH daemon has such a feature.

Topic locked