My server crashed after "Failed password for invalid user .." - SSH Login Attack

Discussion in 'Apache' started by Yeros, Mar 2, 2009.

0
  1. #1
    My server crashed after this


    Mar  2 10:16:57 server sshd[4054]: Failed password for root from 200.55.1.162 port 36956 ssh2
Mar  2 10:16:57 server sshd[4054]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:16:57 server sshd[4056]: Failed password for root from 200.55.1.162 port 41582 ssh2
Mar  2 10:16:57 server sshd[4056]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:16:59 server sshd[4059]: Failed password for root from 200.55.1.162 port 37045 ssh2
Mar  2 10:16:59 server sshd[4059]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:02 server sshd[4063]: Failed password for root from 200.55.1.162 port 37102 ssh2
Mar  2 10:17:02 server sshd[4063]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:02 server sshd[4061]: Failed password for root from 200.55.1.162 port 41640 ssh2
Mar  2 10:17:02 server sshd[4061]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:06 server sshd[4067]: Failed password for root from 200.55.1.162 port 41795 ssh2
Mar  2 10:17:06 server sshd[4067]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:08 server sshd[4070]: Failed password for root from 200.55.1.162 port 41882 ssh2
Mar  2 10:17:08 server sshd[4070]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:08 server sshd[4069]: Failed password for root from 200.55.1.162 port 37224 ssh2
Mar  2 10:17:08 server sshd[4069]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:10 server sshd[4073]: Failed password for root from 200.55.1.162 port 41941 ssh2
Mar  2 10:17:10 server sshd[4073]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:11 server sshd[4075]: Failed password for root from 200.55.1.162 port 37365 ssh2
Mar  2 10:17:11 server sshd[4075]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:12 server sshd[4077]: Failed password for root from 200.55.1.162 port 42005 ssh2
Mar  2 10:17:12 server sshd[4077]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:15 server sshd[4079]: Failed password for root from 200.55.1.162 port 37456 ssh2
Mar  2 10:17:15 server sshd[4079]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:17 server sshd[4083]: Failed password for root from 200.55.1.162 port 37540 ssh2
Mar  2 10:17:17 server sshd[4083]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:20 server sshd[4085]: Failed password for root from 200.55.1.162 port 37584 ssh2
Mar  2 10:17:20 server sshd[4085]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:25 server sshd[4088]: Failed password for root from 200.55.1.162 port 37696 ssh2
Mar  2 10:17:25 server sshd[4088]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:28 server sshd[4090]: Failed password for root from 200.55.1.162 port 37808 ssh2
    Code (markup):
    it continues 30-35 minutes

    I had to phone my datacener to restart it manually.


    any advice will be appreciated, how can i protect my server?
     
    Yeros, Mar 2, 2009 IP
  2. tolra

    tolra Active Member

    Messages:
    515
    Likes Received:
    36
    Best Answers:
    1
    Trophy Points:
    80
    #2
    tolra, Mar 2, 2009 IP
  3. zacharooni

    zacharooni Well-Known Member

    Messages:
    346
    Likes Received:
    20
    Best Answers:
    4
    Trophy Points:
    120
    #3
    You can also reject the attacker in routes by typing:

    /sbin/route add 200.55.1.162 reject

    Then, you will want to disable remote root login, and add a sub-user to `su -` from.

    You may also want to consider running DenyHosts, a very effective SSH bruteforce blocker.
     
    zacharooni, Mar 3, 2009 IP
  4. SSANZ

    SSANZ Peon

    Messages:
    861
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Contact the attackers DC, via IP whois information.

    its a bruteforce attack, ensure your openssh is up to date.
     
    SSANZ, Mar 3, 2009 IP