Pages : 1
#1 Le 05/03/2007, à 10:57
- Jordy
[resolu]Es-ce un cas de brute-force
Bonjour
Ce matin n'ayant rien a faire, je me suis balader sur les fichier log de mon serveur WEB.Je suis aller dans /log/auth.log
et jy est vu ça :
Mar 5 10:53:08 hi-server sshd[1643]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:10 hi-server sshd[1643]: Failed password for invalid user admin from 67.15.102.234 port 60922 ssh2
Mar 5 10:53:12 hi-server sshd[1645]: Invalid user admin from 67.15.102.234
Mar 5 10:53:12 hi-server sshd[1645]: (pam_unix) check pass; user unknown
Mar 5 10:53:12 hi-server sshd[1645]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:14 hi-server sshd[1645]: Failed password for invalid user admin from 67.15.102.234 port 32834 ssh2
Mar 5 10:53:15 hi-server sshd[1647]: Invalid user admin from 67.15.102.234
Mar 5 10:53:15 hi-server sshd[1647]: (pam_unix) check pass; user unknown
Mar 5 10:53:15 hi-server sshd[1647]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:18 hi-server sshd[1647]: Failed password for invalid user admin from 67.15.102.234 port 32970 ssh2
Mar 5 10:53:19 hi-server sshd[1649]: Invalid user admin from 67.15.102.234
Mar 5 10:53:19 hi-server sshd[1649]: (pam_unix) check pass; user unknown
Mar 5 10:53:19 hi-server sshd[1649]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:21 hi-server sshd[1649]: Failed password for invalid user admin from 67.15.102.234 port 33130 ssh2
Mar 5 10:53:23 hi-server sshd[1651]: Invalid user admin from 67.15.102.234
Mar 5 10:53:23 hi-server sshd[1651]: (pam_unix) check pass; user unknown
Mar 5 10:53:23 hi-server sshd[1651]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:25 hi-server sshd[1651]: Failed password for invalid user admin from 67.15.102.234 port 33283 ssh2
Mar 5 10:53:27 hi-server sshd[1653]: Invalid user admin from 67.15.102.234
Mar 5 10:53:27 hi-server sshd[1653]: (pam_unix) check pass; user unknown
Mar 5 10:53:27 hi-server sshd[1653]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:29 hi-server sshd[1653]: Failed password for invalid user admin from 67.15.102.234 port 33418 ssh2
Mar 5 10:53:31 hi-server sshd[1655]: Invalid user admin from 67.15.102.234
Mar 5 10:53:31 hi-server sshd[1655]: (pam_unix) check pass; user unknown
Mar 5 10:53:31 hi-server sshd[1655]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:33 hi-server sshd[1655]: Failed password for invalid user admin from 67.15.102.234 port 33576 ssh2
Mar 5 10:53:34 hi-server sshd[1657]: Invalid user admin from 67.15.102.234
Mar 5 10:53:34 hi-server sshd[1657]: (pam_unix) check pass; user unknown
Mar 5 10:53:34 hi-server sshd[1657]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:37 hi-server sshd[1657]: Failed password for invalid user admin from 67.15.102.234 port 33728 ssh2
Mar 5 10:53:39 hi-server sshd[1659]: Invalid user admin from 67.15.102.234
Mar 5 10:53:39 hi-server sshd[1659]: (pam_unix) check pass; user unknown
Mar 5 10:53:39 hi-server sshd[1659]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:41 hi-server sshd[1659]: Failed password for invalid user admin from 67.15.102.234 port 33888 ssh2
Mar 5 10:53:43 hi-server sshd[1661]: Invalid user admin from 67.15.102.234
Mar 5 10:53:43 hi-server sshd[1661]: (pam_unix) check pass; user unknown
Mar 5 10:53:43 hi-server sshd[1661]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:45 hi-server sshd[1661]: Failed password for invalid user admin from 67.15.102.234 port 34042 ssh2
Mar 5 10:53:46 hi-server sshd[1663]: Invalid user admin from 67.15.102.234
Mar 5 10:53:46 hi-server sshd[1663]: (pam_unix) check pass; user unknown
Mar 5 10:53:46 hi-server sshd[1663]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:49 hi-server sshd[1663]: Failed password for invalid user admin from 67.15.102.234 port 34192 ssh2
Mar 5 10:53:51 hi-server sshd[1665]: Invalid user admin from 67.15.102.234
Mar 5 10:53:51 hi-server sshd[1665]: (pam_unix) check pass; user unknown
Mar 5 10:53:51 hi-server sshd[1665]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:53 hi-server sshd[1665]: Failed password for invalid user admin from 67.15.102.234 port 34354 ssh2
Mar 5 10:53:54 hi-server sshd[1667]: Invalid user admin from 67.15.102.234
Mar 5 10:53:54 hi-server sshd[1667]: (pam_unix) check pass; user unknown
Mar 5 10:53:54 hi-server sshd[1667]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar 5 10:53:56 hi-server sshd[1667]: Failed password for invalid user admin from 67.15.102.234 port 34506 ssh2
et ça mon log en est resmpli en sa TOTALITé, la ligne la plus ancienne que je trouve date de
Mar 5 07:35:06 hi-server sshd[27161]: Invalid user admin from 67.15.102.234
et ça continue actuelement
Cela resemble a un brute force non ?
EDIT : ça y est, maintenant il s'en prend a root :
Mar 5 10:57:09 hi-server sshd[1814]: Failed password for invalid user admin from 67.15.102.234 port 42116 ssh2
Mar 5 10:57:11 hi-server sshd[1816]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:12 hi-server sshd[1816]: Failed password for root from 67.15.102.234 port 42246 ssh2
Mar 5 10:57:14 hi-server sshd[1818]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:16 hi-server sshd[1818]: Failed password for root from 67.15.102.234 port 42369 ssh2
Mar 5 10:57:18 hi-server sshd[1820]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:19 hi-server sshd[1820]: Failed password for root from 67.15.102.234 port 42522 ssh2
Mar 5 10:57:21 hi-server sshd[1822]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:23 hi-server sshd[1822]: Failed password for root from 67.15.102.234 port 42650 ssh2
Mar 5 10:57:25 hi-server sshd[1824]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:27 hi-server sshd[1824]: Failed password for root from 67.15.102.234 port 42796 ssh2
Mar 5 10:57:28 hi-server sshd[1826]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:31 hi-server sshd[1826]: Failed password for root from 67.15.102.234 port 42936 ssh2
Mar 5 10:57:32 hi-server sshd[1828]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
Mar 5 10:57:34 hi-server sshd[1828]: Failed password for root from 67.15.102.234 port 43097 ssh2
Mar 5 10:57:36 hi-server sshd[1830]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com user=root
merci a tous
Dernière modification par Jordy (Le 05/03/2007, à 13:44)
Hors ligne
#2 Le 05/03/2007, à 11:16
- foustala
Re : [resolu]Es-ce un cas de brute-force
Il y a des paramètres intéressants dans le
/etc/ssh/sshd_config
du genre:
PermitRootLogin
LoginGraceTime
MaxAuthTries
C'est vrai que la config par défaut du serveur ssh pourrait être plus sécu.
je te renvoie à la lecture de
man sshd_config
Hors ligne
#3 Le 05/03/2007, à 11:17
- Jordy
Re : [resolu]Es-ce un cas de brute-force
oiui je vais modifier ça..n'emepche que le sagoin continue
Hors ligne
#4 Le 05/03/2007, à 11:31
- Jordy
Re : [resolu]Es-ce un cas de brute-force
Voici mon sshd config
# Package generated configuration file
# See the sshd(8) manpage for details# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768# Logging
SyslogFacility AUTH
LogLevel INFO# Authentication:
LoginGraceTime 25
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yesX11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no#MaxStartups 10:30:60
#Banner /etc/issue.net# Allow client to pass locale environment variables
AcceptEnv LANG LC_*Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Je changerai aussi le port 22 par un autre port qaund j'aurai access au routeur
Hors ligne
#5 Le 05/03/2007, à 13:43
- Jordy
Re : [resolu]Es-ce un cas de brute-force
j'ai installer fail to ban...et ça marche super bien plus d'ataque..
Hors ligne
#6 Le 05/03/2007, à 15:08
- Uggy
Re : [resolu]Es-ce un cas de brute-force
Un moyen très simple pour etre sur qu'une attaque par brute force échoue, c'est ne d'autoriser l'authentification SSH uniquement par clé (et non pas par mot de passe)
Hors ligne
Pages : 1