On Wed, 2007-08-08 at 02:09 +0530, Vivek J. Patankar wrote: > One of my servers has a public interface. It is hit by ssh login > attempts on a daily basis and the count for that goes into the thousands > per week. The usernames that have been tried are root, admin, > administrator, etc. > > For the last could of weeks I have been getting a lot of login attempts > for a user called "NOUSER". There were over 12000 during the week ending > 5th August. The sources of the attempts are geographically > distributed, Norway, US, Korea, Taiwan, India, etc. But the username is > always the same, "NOUSER". I am guessing this is some kind of worm. > > Aug 6 17:57:57 <HOSTNAME> pam_tally[28966]: pam_tally: pam_get_uid; no > such user NOUSER > > Has anybody else seen such activity or has more information about it? > Anything I should worry about? > > If it matters, the box runs an up-to-date FC6. Welcome to the Internet. This is a very common hack attempt. Someone (usually script kiddies) is trying to get into your box. I have iptables rules that only allow ssh tries from our networks or machines I know of. To wit: # Accept SSH from our networks... -A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT # Accept SSH from my machine at home... -A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT (more rules...) At the end, put in a blanket "don't allow SSH from anywhere else" rule: # Block any ssh attempts from outside our network... -A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable If you must leave ssh open to the outside world, use a simple iptables ruleset to limit attempts: # This rejects ssh attempts more than twice in 180 seconds... # First, mark attempts as part of the "sshattack" group... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set # Optional: Include this line if you want to log these attacks... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: " # Finally, reject the connection if more than one attempt is made in 180 seconds... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset If more than one ssh attempt is made in 180 seconds (three minutes) from a given IP address, this blocks that IP address for that duration. You get one try. If you fail, you must wait 3 minutes before you can try again. Note that even a successful login is counted. If you log in and immediately log out, you still have to wait 3 minutes to get in again. Change the "--hitcount 2" bits to "--hitcount 3" if you want to give yourself two tries to get in. You can also change the "--seconds 180" to "--seconds 300" to make the delay 5 minutes. The values I give above are enough to discourage most script kiddie attempts to get into your box. Your mileage may vary. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Where there's a will, I want to be in it. - ----------------------------------------------------------------------
