main

You may be getting a brute force attack


Not always from China

But mostly is ;)

So how to check if you are a victim of this? If you have followed my other guide on securing your server you probably will never be on the sharp end of one of these attacks unless they really want in. In my other guide I suggested changing your SSH port from the default 22 this is mainly because the bruteforce attack against SSH is carried out by bot's they scan entire IP ranges for open ports on 22 then come back later to test for weak passwords. So how to tell one of these attacks is underway?

One way you can see if a attack is live right now is using

tail -f /var/log/secure

this will show you a live log of failed SSH login attempts you can take note of the IP(s) and block them with apf using

apf -d ip.address.to.block

this will add the IP to the hosts.deny file and drop all traffic originating from that source you can do the same with IPTables directly with

iptables -I INPUT -s ip.address.to.block -j DROP
service iptables save

In post mortem

To check all the attempts on a server with how many times they tried you can use a combination of grep awk to provide detailed output of who did what

awk '/Failed password/ {print $(NF-3)}' /var/log/secure |sort -n|uniq -c|sort -nk1|awk '{sum+=$1;if($1>300)print "IP: ",$2,"Failed login",$1,"Times"}END{print "\nTotal failed attempts:\t"sum}'

UPDATE This lil beaut will give you the geolocations of the offending IP addresses

t1=`mktemp` ; t2=`mktemp` ; t3=`mktemp` ; cat /var/log/secure | grep sshd | grep Failed | sed 's/invalid//' | sed 's/user//' | awk '{print $11}' | sort | uniq -c | sort -rn > $t1 ; for x in `cat $t1 | awk '{print $2}'`; do host $x | awk '{print $5}'; done > $t2 ; sed -i 's/3(NXDOMAIN)/N\/A/g' $t2 ; sed -i 's/2(SERVFAIL)/N\/A/g' $t2 ; for y in `cat $t1 | awk '{print $2}'`; do curl -s http://ip-api.com/csv/$y | awk 'BEGIN { FS = "," } ; { print $2, $5 }'; done > $t3 ; paste $t1 $t2 $t3 && rm -f $t1 $t2 $t3 ; unset t1 t2 t3

I dont have an example of the output that this gives cause i dont suffer from these attacks :P

tldr

CHANGE YOUR SSH PORT!!