ssh authentication hack attempts (LOADS!)

Discussion in 'macOS' started by blackscooby, Jun 5, 2007.

  1. blackscooby macrumors 6502

    blackscooby

    Joined:
    May 12, 2005
    Location:
    Cheshire, UK
    #1
    My Mac is running web server plus ssh such that I can securely access the Mac from work via terminal and VNC.

    I've just checked the /var/log/secure.log and I'm seriously shocked at the number of hacking attempts. This is an extract from the log, but its the same 24h a day 7 days a week... It looks like a system is trying to hack in ALL THE TIME !

    Jun 5 02:10:58 john-does-computer sshd[15992]: Failed password for invalid user cesar from 217.24.240.77 port 43298 ssh2
    Jun 5 02:11:02 john-does-computer sshd[15994]: Failed password for invalid user cesar from 217.24.240.77 port 44118 ssh2
    Jun 5 02:11:03 john-does-computer sshd[15996]: Failed password for invalid user craig from 217.24.240.77 port 46196 ssh2
    Jun 5 02:11:05 john-does-computer sshd[15998]: Failed password for invalid user craig from 217.24.240.77 port 46542 ssh2
    Jun 5 02:11:06 john-does-computer sshd[16000]: Failed password for invalid user alfred from 217.24.240.77 port 47242 ssh2
    Jun 5 02:11:07 john-does-computer sshd[16002]: Failed password for invalid user alfred from 217.24.240.77 port 47601 ssh2
    Jun 5 02:11:08 john-does-computer sshd[16004]: Failed password for invalid user cpanel from 217.24.240.77 port 48413 ssh2
    Jun 5 02:11:09 john-does-computer sshd[16006]: Failed password for invalid user cpanel from 217.24.240.77 port 49327 ssh2
    Jun 5 02:11:10 john-does-computer sshd[16008]: Failed password for invalid user cpanel from 217.24.240.77 port 49734 ssh2
    Jun 5 02:11:12 john-does-computer sshd[16010]: Failed password for invalid user leonardo from 217.24.240.77 port 50566 ssh2
    Jun 5 02:11:13 john-does-computer sshd[16012]: Failed password for invalid user leonardo from 217.24.240.77 port 50914 ssh2
    Jun 5 02:11:14 john-does-computer sshd[16014]: Failed password for invalid user adine from 217.24.240.77 port 51639 ssh2
    Jun 5 02:11:18 john-does-computer sshd[16016]: Failed password for invalid user adine from 217.24.240.77 port 52689 ssh2
    Jun 5 02:11:20 john-does-computer sshd[16018]: Failed password for invalid user db from 217.24.240.77 port 54832 ssh2
    Jun 5 02:11:21 john-does-computer sshd[16020]: Failed password for invalid user db from 217.24.240.77 port 55175 ssh2
    Jun 5 02:11:22 john-does-computer sshd[16022]: Failed password for invalid user db from 217.24.240.77 port 55863 ssh2
    Jun 5 02:11:23 john-does-computer sshd[16024]: Failed password for invalid user flower from 217.24.240.77 port 56223 ssh2
    Jun 5 02:11:24 john-does-computer sshd[16026]: Failed password for invalid user flower from 217.24.240.77 port 57210 ssh2
    Jun 5 02:11:25 john-does-computer sshd[16028]: Failed password for invalid user particle from 217.24.240.77 port 57898 ssh2
    Jun 5 02:11:26 john-does-computer sshd[16030]: Failed password for invalid user particle from 217.24.240.77 port 58259 ssh2
    Jun 5 02:11:28 john-does-computer sshd[16032]: Failed password for invalid user golf from 217.24.240.77 port 59000 ssh2
    Jun 5 02:11:29 john-does-computer sshd[16034]: Failed password for invalid user golf from 217.24.240.77 port 59365 ssh2
    Jun 5 02:11:33 john-does-computer sshd[16036]: Failed password for invalid user kid from 217.24.240.77 port 60307 ssh2
    Jun 5 02:11:34 john-does-computer sshd[16038]: Failed password for invalid user kid from 217.24.240.77 port 34055 ssh2
    Jun 5 02:11:35 john-does-computer sshd[16040]: Failed password for invalid user kid from 217.24.240.77 port 34835 ssh2
    Jun 5 02:11:36 john-does-computer sshd[16042]: Failed password for invalid user kids from 217.24.240.77 port 35480 ssh2
    Jun 5 02:11:37 john-does-computer sshd[16044]: Failed password for invalid user kids from 217.24.240.77 port 36211 ssh2

    Seriously worried at the number of attempted logins I've had.
    I'm on port 22, but I might change that to another random port later. From the logs I can see that the user that are being attempted are also alphabetical. Looked like an automated waller.

    Still, this is seriously worrying !

    Mark
     
  2. tyr2 macrumors 6502a

    tyr2

    Joined:
    May 6, 2006
    Location:
    Leeds, UK
    #2
    Not unusual if you're running a ssh daemon on the public internet, they get attacked all the time

    Your best bet is to change the IP to some other port, or change to key based authentication only.
     
  3. blackscooby thread starter macrumors 6502

    blackscooby

    Joined:
    May 12, 2005
    Location:
    Cheshire, UK
    #3
    Yeah I'm going to use another port and block port 22 on my router.
     
  4. Ananas OS X macrumors newbie

    Joined:
    Oct 8, 2008
    #4
    I know how to hack u...

    I know a way to hack you, think the same way as him not gonna do that though! But this guy knows your IP better change it!

    Good luck
     
  5. GekkePrutser macrumors 6502a

    GekkePrutser

    Joined:
    Aug 18, 2005
    Location:
    Ireland
    #5
    These are just automated bot scans, they just try the most common username/password combinations. If you have decent passwords it won't be a problem. They are very common on the internet and it doesn't mean someone is out to get you. They're just infected machines trying to automatically scan for new victims.

    However they do consume a lot of CPU resources because for every attempt a session encryption key has to be generated. Moving your SSH server to port 443 or something is an option that will already prevent most of these bots. Someone above already suggested it too and it worked for me too.

    However if you would like to stay on port 22 the best way is to install something like DenyHosts which is a script that automatically black lists IP's with more than X consecutive failed login attempts. It works like a charm on Linux and FreeBSD, I'm sure it can be made to run on Mac OS as well. It uses the TCP wrapper (/etc/hosts.deny) for blocking so it's not firewall dependent.

    Edit: Oops, this was an age old thread, didn't check the original post date, sorry.
     

Share This Page