1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

My server crashed after "Failed password for invalid user .." - SSH Login Attack

Discussion in 'Apache' started by Yeros, Mar 2, 2009.

0
  1. #1
    My server crashed after this


    Mar  2 10:16:57 server sshd[4054]: Failed password for root from 200.55.1.162 port 36956 ssh2
Mar  2 10:16:57 server sshd[4054]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:16:57 server sshd[4056]: Failed password for root from 200.55.1.162 port 41582 ssh2
Mar  2 10:16:57 server sshd[4056]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:16:59 server sshd[4059]: Failed password for root from 200.55.1.162 port 37045 ssh2
Mar  2 10:16:59 server sshd[4059]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:02 server sshd[4063]: Failed password for root from 200.55.1.162 port 37102 ssh2
Mar  2 10:17:02 server sshd[4063]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:02 server sshd[4061]: Failed password for root from 200.55.1.162 port 41640 ssh2
Mar  2 10:17:02 server sshd[4061]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:06 server sshd[4067]: Failed password for root from 200.55.1.162 port 41795 ssh2
Mar  2 10:17:06 server sshd[4067]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:08 server sshd[4070]: Failed password for root from 200.55.1.162 port 41882 ssh2
Mar  2 10:17:08 server sshd[4070]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:08 server sshd[4069]: Failed password for root from 200.55.1.162 port 37224 ssh2
Mar  2 10:17:08 server sshd[4069]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:10 server sshd[4073]: Failed password for root from 200.55.1.162 port 41941 ssh2
Mar  2 10:17:10 server sshd[4073]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:11 server sshd[4075]: Failed password for root from 200.55.1.162 port 37365 ssh2
Mar  2 10:17:11 server sshd[4075]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:12 server sshd[4077]: Failed password for root from 200.55.1.162 port 42005 ssh2
Mar  2 10:17:12 server sshd[4077]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:15 server sshd[4079]: Failed password for root from 200.55.1.162 port 37456 ssh2
Mar  2 10:17:15 server sshd[4079]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:17 server sshd[4083]: Failed password for root from 200.55.1.162 port 37540 ssh2
Mar  2 10:17:17 server sshd[4083]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:20 server sshd[4085]: Failed password for root from 200.55.1.162 port 37584 ssh2
Mar  2 10:17:20 server sshd[4085]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:25 server sshd[4088]: Failed password for root from 200.55.1.162 port 37696 ssh2
Mar  2 10:17:25 server sshd[4088]: reverse mapping checking getaddrinfo for 200-55-1-162.static.impsat.net.ar failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  2 10:17:28 server sshd[4090]: Failed password for root from 200.55.1.162 port 37808 ssh2
    Code (markup):
    it continues 30-35 minutes

    I had to phone my datacener to restart it manually.


    any advice will be appreciated, how can i protect my server?
     
    Yeros, Mar 2, 2009 IP
  2. tolra

    tolra Active Member

    Messages:
    515
    Likes Received:
    36
    Best Answers:
    1
    Trophy Points:
    80
    #2
    tolra, Mar 2, 2009 IP
  3. zacharooni

    zacharooni Well-Known Member

    Messages:
    346
    Likes Received:
    20
    Best Answers:
    4
    Trophy Points:
    120
    #3
    You can also reject the attacker in routes by typing:

    /sbin/route add 200.55.1.162 reject

    Then, you will want to disable remote root login, and add a sub-user to `su -` from.

    You may also want to consider running DenyHosts, a very effective SSH bruteforce blocker.
     
    zacharooni, Mar 3, 2009 IP
  4. SSANZ

    SSANZ Peon

    Messages:
    861
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Contact the attackers DC, via IP whois information.

    its a bruteforce attack, ensure your openssh is up to date.
     
    SSANZ, Mar 3, 2009 IP