Attempting breach?

corbywan

macrumors regular
Original poster
Feb 4, 2008
238
3
Forest Grove, OR
I checked my secure.log and say several lines like this.

Dec 8 22:01:40 exchangechurch sshd[20829]: Invalid user director from 201.217.215.66
Dec 8 22:01:40 exchangechurch sshd[20833]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 8 22:01:40 exchangechurch sshd[20829]: error: PAM: authentication error for illegal user director from 201-217-215-66-host.ifx.net.co via 10.0.1.2
Dec 8 22:01:40 exchangechurch sshd[20829]: Failed keyboard-interactive/pam for invalid user director from 201.217.215.66 port 41439 ssh2

Is this someone trying to hack into my server?
 

shadyMedia

macrumors newbie
Apr 6, 2009
27
0
I Have been getting allot of this right not to combat it I have just disabled SSH
Were running a New Mac Mini Server we noticed that pretty much right at 11:30 pm EST The CPU load will jump to sometimes %40 once we disable SSH connections everything calms back down

Were looking into steps on how to block it and how to make sure everything is working ok

Ether Apple's Software Firewall or a 3rd party Firewall

What are you guys thinks?
 

shadyMedia

macrumors newbie
Apr 6, 2009
27
0
Just a taste of mine




Dec 9 11:37:43 server sshd[55810]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:37:43 server sshd[55806]: error: PAM: authentication error for illegal user ftpuser from 58.247.222.163 via 10.0.1.2
Dec 9 11:37:43 server sshd[55806]: Failed keyboard-interactive/pam for invalid user ftpuser from 58.247.222.163 port 55947 ssh2
Dec 9 11:40:41 server sshd[55871]: Invalid user ftpuser from 135.196.243.201
Dec 9 11:40:41 server sshd[55875]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:40:41 server sshd[55871]: error: PAM: authentication error for illegal user ftpuser from 135.196.243.201 via 10.0.1.2
Dec 9 11:40:41 server sshd[55871]: Failed keyboard-interactive/pam for invalid user ftpuser from 135.196.243.201 port 51986 ssh2
Dec 9 11:43:36 server sshd[55922]: Invalid user gabi from 201.217.215.66
Dec 9 11:43:36 server sshd[55926]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:43:36 server sshd[55922]: error: PAM: authentication error for illegal user gabi from 201-217-215-66-host.ifx.net.co via 10.0.1.2
Dec 9 11:43:36 server sshd[55922]: Failed keyboard-interactive/pam for invalid user gabi from 201.217.215.66 port 46040 ssh2
Dec 9 11:46:55 server sshd[55982]: Invalid user gabi from 190.136.177.61
Dec 9 11:46:55 server sshd[55996]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:46:56 server sshd[55982]: error: PAM: authentication error for illegal user gabi from host61.190-136-177.telecom.net.ar via 10.0.1.2
Dec 9 11:46:56 server sshd[55982]: Failed keyboard-interactive/pam for invalid user gabi from 190.136.177.61 port 3525 ssh2
Dec 9 11:49:32 server sshd[56041]: reverse mapping checking getaddrinfo for 65-114-92-158.ussonet.net [65.114.92.158] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 9 11:49:32 server sshd[56041]: Invalid user gabo from 65.114.92.158
Dec 9 11:49:32 server sshd[56045]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:49:32 server sshd[56041]: error: PAM: authentication error for illegal user gabo from 65.114.92.158 via 10.0.1.2
Dec 9 11:49:32 server sshd[56041]: Failed keyboard-interactive/pam for invalid user gabo from 65.114.92.158 port 21662 ssh2
Dec 9 11:55:30 server sshd[56183]: reverse mapping checking getaddrinfo for bt-212-231.bta.net.cn [202.106.212.231] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 9 11:55:30 server sshd[56183]: Invalid user gabriela from 202.106.212.231
Dec 9 11:58:30 server sshd[56238]: Invalid user gabriele from 211.115.234.143
Dec 9 11:58:30 server sshd[56242]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 11:58:30 server sshd[56238]: error: PAM: authentication error for illegal user gabriele from 211.115.234.143 via 10.0.1.2
Dec 9 11:58:30 server sshd[56238]: Failed keyboard-interactive/pam for invalid user gabriele from 211.115.234.143 port 41563 ssh2
Dec 9 12:01:29 server sshd[56333]: Invalid user gaby from 194.78.48.108
Dec 9 12:01:29 server sshd[56337]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Dec 9 12:01:30 server sshd[56333]: error: PAM: authentication error for illegal user gaby from 108.48-78-194.adsl-static.isp.belgacom.be via 10.0.1.2
Dec 9 12:01:30 server sshd[56333]: Failed keyboard-interactive/pam for invalid user gaby from 194.78.48.108 port 30490 ssh2
 

TXbug

macrumors member
Aug 24, 2009
39
0
Austin, Texas
There is a way around this without disabling SSH. On your router, port forward from an oddball port number, not already assigned. Make up a number. Then have the router forward it to port 22 on the IP of your server/computer. You may have to disable port 22 on the router.

Then you ssh using -p oddball port number

It works every time. These guys are trying to do a brute force breakin using ssh on port 22. This change will stop that dead.
 

timd.mackey

macrumors member
Jun 8, 2010
33
25
Help getting sshguard to work on Mac

Could anyone here run through how they got sshguard set up on their machines? I'm running Snow Leopard, and I got sshguard installed using macports, but I'm not sure how to get it set up properly. How do I turn it on?
 

Eric-PTEK

macrumors 6502
Mar 3, 2009
450
2
Doesn't the server have a lock out policy?

We did a test on our web servers at the data center(Win2K8R2) without a lockout policy we had over 14,000 attempts to break in within 4 days without a lock out policy.

Put the lock out policy and now they can only do 60 attempts a day, if they happen to figure out the admin name.
 

OMGWTFBBQ

macrumors member
Oct 5, 2007
71
8
Could anyone here run through how they got sshguard set up on their machines? I'm running Snow Leopard, and I got sshguard installed using macports, but I'm not sure how to get it set up properly. How do I turn it on?
Were you ever able to figure this out? If so, can you give me detailed instructions of installing it? I've done it the macports way, but I want the version from the website. The macports version is called sshguard-ipfw...

Thanks
 

micm

macrumors newbie
Jun 30, 2010
4
0
Were you ever able to figure this out? If so, can you give me detailed instructions of installing it? I've done it the macports way, but I want the version from the website. The macports version is called sshguard-ipfw...
The MacPorts version is called sshguard-ipfw because it is sshguard, compiled with the "ipfw" backend (which is the firewall OS X offers). So technically it is sshguard as from the website, just a bit outdated -- the maintainer is probably waiting for 1.5 to be released after the paranoid-long release candidate line :)

So if you install from the MacPorts, you should get a message printed after installing, going:
Code:
###########################################################
# A startup item has been generated that will aid in
# starting sshguard-ipfw with launchd. It is disabled
# by default. Execute the following command to start it,
# and to cause it to launch at startup:
#
# sudo port load sshguard-ipfw
###########################################################
just run that command and then "ps" will show you sshguard running on the system.

The MacPort is well done and convenient because it installs the OS X startupitem for you. However, there are many changes in sshguard since version 1.4. You can still compile and install a newer version yourself; then it's easy to run it e.g. with the log sucker.
 

mrubioroy

macrumors newbie
Aug 11, 2010
3
0
The MacPort is well done and convenient because it installs the OS X startupitem for you. However, there are many changes in sshguard since version 1.4. You can still compile and install a newer version yourself; then it's easy to run it e.g. with the log sucker.
Hi micm,
I've compiled the 1.5rc4 sources without problems, but when it comes to create the launchd plist file I'm not managing to get it work. Could you paste the MacPort plist file or the sshguard-ipfw script? Where should I put the plist file on? I've been trying in /Library/LaunchAgents but when I launchctl load it I don't see it with "ps".

Thanks!

Miguel
 

robvas

macrumors 68040
Mar 29, 2009
3,009
478
USA
There are many things you can do to enhance SSH security.

Disable password logins. You will have to store the key on the computer you wish to access your server from remotely.

Disallow root users! Also, you can only allow certain users SSH access.

Limit login attempts to 1

Force SSH protocol version 2

The sshd_config file has a bunch of options you can set.
 

mlts22

macrumors 6502a
Oct 28, 2008
538
32
There are many things you can do to enhance SSH security.

Disable password logins. You will have to store the key on the computer you wish to access your server from remotely.

Disallow root users! Also, you can only allow certain users SSH access.

Limit login attempts to 1

Force SSH protocol version 2

The sshd_config file has a bunch of options you can set.
Here is what I do to lock down ssh:

1: Consider having a hardened host just for ssh-ing, or require a VPN connection.

2: Oddball ports are OK, but any blackhat worth their salt will find them.

3: If you can, disable password and interactive authentication, and use RSA keys. This blocks out password brute forcing. Another item to consider is using one time passwords or SecurID cards.

4: If you know the range of IPs that people use for sshing in, limit the access to that. I use this in combination with a VPN service like strongvpn.com so no matter where I am, my IP range will be known to the server.

5: As stated above, sshguard is an immense help. You want to keep a lid on attempts.

6: This goes without saying. Disallow access to root. This way, an attacker has to compromise a user account, then find a priv escalation, rather than just be handed the keys to the city.

7: Have a strong hardware router/VPN/firewall. At the minimum an AEBU or a unified security gateway like http://tinyurl.com/2bmr6vn, or one of its bigger brothers. If the blackhats cannot reach the machine, they can't compromise it.

8: Keep good backups. If your server gets compromised, you will have to reinstall completely, so it can't hurt to keep good backups of everything. Ideally, a completely locked down backup server that is a separate machine would be the best, so a blackhat that compromises the server won't be able to mess with the already stored backups.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.