Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 05/03/2007, à 10:57

Jordy

[resolu]Es-ce un cas de brute-force

Bonjour


Ce matin n'ayant rien a faire, je me suis balader sur les fichier log de mon serveur WEB.Je suis aller dans /log/auth.log

et jy est vu ça :

Mar  5 10:53:08 hi-server sshd[1643]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:10 hi-server sshd[1643]: Failed password for invalid user admin from 67.15.102.234 port 60922 ssh2
Mar  5 10:53:12 hi-server sshd[1645]: Invalid user admin from 67.15.102.234
Mar  5 10:53:12 hi-server sshd[1645]: (pam_unix) check pass; user unknown
Mar  5 10:53:12 hi-server sshd[1645]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:14 hi-server sshd[1645]: Failed password for invalid user admin from 67.15.102.234 port 32834 ssh2
Mar  5 10:53:15 hi-server sshd[1647]: Invalid user admin from 67.15.102.234
Mar  5 10:53:15 hi-server sshd[1647]: (pam_unix) check pass; user unknown
Mar  5 10:53:15 hi-server sshd[1647]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:18 hi-server sshd[1647]: Failed password for invalid user admin from 67.15.102.234 port 32970 ssh2
Mar  5 10:53:19 hi-server sshd[1649]: Invalid user admin from 67.15.102.234
Mar  5 10:53:19 hi-server sshd[1649]: (pam_unix) check pass; user unknown
Mar  5 10:53:19 hi-server sshd[1649]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:21 hi-server sshd[1649]: Failed password for invalid user admin from 67.15.102.234 port 33130 ssh2
Mar  5 10:53:23 hi-server sshd[1651]: Invalid user admin from 67.15.102.234
Mar  5 10:53:23 hi-server sshd[1651]: (pam_unix) check pass; user unknown
Mar  5 10:53:23 hi-server sshd[1651]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:25 hi-server sshd[1651]: Failed password for invalid user admin from 67.15.102.234 port 33283 ssh2
Mar  5 10:53:27 hi-server sshd[1653]: Invalid user admin from 67.15.102.234
Mar  5 10:53:27 hi-server sshd[1653]: (pam_unix) check pass; user unknown
Mar  5 10:53:27 hi-server sshd[1653]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:29 hi-server sshd[1653]: Failed password for invalid user admin from 67.15.102.234 port 33418 ssh2
Mar  5 10:53:31 hi-server sshd[1655]: Invalid user admin from 67.15.102.234
Mar  5 10:53:31 hi-server sshd[1655]: (pam_unix) check pass; user unknown
Mar  5 10:53:31 hi-server sshd[1655]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:33 hi-server sshd[1655]: Failed password for invalid user admin from 67.15.102.234 port 33576 ssh2
Mar  5 10:53:34 hi-server sshd[1657]: Invalid user admin from 67.15.102.234
Mar  5 10:53:34 hi-server sshd[1657]: (pam_unix) check pass; user unknown
Mar  5 10:53:34 hi-server sshd[1657]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:37 hi-server sshd[1657]: Failed password for invalid user admin from 67.15.102.234 port 33728 ssh2
Mar  5 10:53:39 hi-server sshd[1659]: Invalid user admin from 67.15.102.234
Mar  5 10:53:39 hi-server sshd[1659]: (pam_unix) check pass; user unknown
Mar  5 10:53:39 hi-server sshd[1659]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:41 hi-server sshd[1659]: Failed password for invalid user admin from 67.15.102.234 port 33888 ssh2
Mar  5 10:53:43 hi-server sshd[1661]: Invalid user admin from 67.15.102.234
Mar  5 10:53:43 hi-server sshd[1661]: (pam_unix) check pass; user unknown
Mar  5 10:53:43 hi-server sshd[1661]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:45 hi-server sshd[1661]: Failed password for invalid user admin from 67.15.102.234 port 34042 ssh2
Mar  5 10:53:46 hi-server sshd[1663]: Invalid user admin from 67.15.102.234
Mar  5 10:53:46 hi-server sshd[1663]: (pam_unix) check pass; user unknown
Mar  5 10:53:46 hi-server sshd[1663]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:49 hi-server sshd[1663]: Failed password for invalid user admin from 67.15.102.234 port 34192 ssh2
Mar  5 10:53:51 hi-server sshd[1665]: Invalid user admin from 67.15.102.234
Mar  5 10:53:51 hi-server sshd[1665]: (pam_unix) check pass; user unknown
Mar  5 10:53:51 hi-server sshd[1665]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:53 hi-server sshd[1665]: Failed password for invalid user admin from 67.15.102.234 port 34354 ssh2
Mar  5 10:53:54 hi-server sshd[1667]: Invalid user admin from 67.15.102.234
Mar  5 10:53:54 hi-server sshd[1667]: (pam_unix) check pass; user unknown
Mar  5 10:53:54 hi-server sshd[1667]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com
Mar  5 10:53:56 hi-server sshd[1667]: Failed password for invalid user admin from 67.15.102.234 port 34506 ssh2

et ça mon log en est resmpli en sa TOTALITé, la ligne la plus ancienne que je trouve date de

Mar  5 07:35:06 hi-server sshd[27161]: Invalid user admin from 67.15.102.234

et ça continue actuelement

Cela resemble a un brute force non ?

EDIT : ça y est, maintenant il s'en prend a root :

Mar  5 10:57:09 hi-server sshd[1814]: Failed password for invalid user admin from 67.15.102.234 port 42116 ssh2
Mar  5 10:57:11 hi-server sshd[1816]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:12 hi-server sshd[1816]: Failed password for root from 67.15.102.234 port 42246 ssh2
Mar  5 10:57:14 hi-server sshd[1818]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:16 hi-server sshd[1818]: Failed password for root from 67.15.102.234 port 42369 ssh2
Mar  5 10:57:18 hi-server sshd[1820]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:19 hi-server sshd[1820]: Failed password for root from 67.15.102.234 port 42522 ssh2
Mar  5 10:57:21 hi-server sshd[1822]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:23 hi-server sshd[1822]: Failed password for root from 67.15.102.234 port 42650 ssh2
Mar  5 10:57:25 hi-server sshd[1824]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:27 hi-server sshd[1824]: Failed password for root from 67.15.102.234 port 42796 ssh2
Mar  5 10:57:28 hi-server sshd[1826]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:31 hi-server sshd[1826]: Failed password for root from 67.15.102.234 port 42936 ssh2
Mar  5 10:57:32 hi-server sshd[1828]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root
Mar  5 10:57:34 hi-server sshd[1828]: Failed password for root from 67.15.102.234 port 43097 ssh2
Mar  5 10:57:36 hi-server sshd[1830]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acme9.prestosports.com  user=root

merci a tous

Dernière modification par Jordy (Le 05/03/2007, à 13:44)

Hors ligne

#2 Le 05/03/2007, à 11:16

foustala

Re : [resolu]Es-ce un cas de brute-force

Il y a des paramètres intéressants dans le

/etc/ssh/sshd_config

du genre:

PermitRootLogin
LoginGraceTime
MaxAuthTries

C'est vrai que la config par défaut du serveur ssh pourrait être plus sécu.

je te renvoie à la lecture de

man sshd_config

Hors ligne

#3 Le 05/03/2007, à 11:17

Jordy

Re : [resolu]Es-ce un cas de brute-force

oiui je vais modifier ça..n'emepche que le sagoin continue

Hors ligne

#4 Le 05/03/2007, à 11:31

Jordy

Re : [resolu]Es-ce un cas de brute-force

Voici mon sshd config

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 25
PermitRootLogin no
StrictModes yes
MaxAuthTries 5
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Je changerai aussi le port 22 par un autre port qaund j'aurai access au routeur

Hors ligne

#5 Le 05/03/2007, à 13:43

Jordy

Re : [resolu]Es-ce un cas de brute-force

j'ai installer fail to ban...et ça marche super bien plus d'ataque..

Hors ligne

#6 Le 05/03/2007, à 15:08

Uggy

Re : [resolu]Es-ce un cas de brute-force

Un moyen très simple pour etre sur qu'une attaque par brute force échoue, c'est ne d'autoriser l'authentification SSH uniquement par clé (et non pas par mot de passe)

Hors ligne