ssh: Repeated breakin attempts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Today I found hundreds of the following in my /var/log/auth.log:

May  2 08:12:01 debian sshd[16918]: Could not reverse map address
May  2 08:12:04 debian sshd[16920]: Could not reverse map address
May  2 08:12:06 debian sshd[16922]: Could not reverse map address

This is occasionally punctuated with the following:

May  2 08:12:47 debian sshd[16955]: User XXXX not allowed because none
user's groups are listed in AllowGroups

Where XXXX is a valid user name on my system - who is denied access via

Occasionally I get

May  2 07:59:30 debian PAM_unix[16273]: authentication failure; (uid=0)
YYYY for ssh service
May  2 07:59:32 debian sshd[16273]: Failed password for YYYY from port 39023 ssh2
May  2 07:59:35 debian sshd[16275]: Could not reverse map address

Where YYYY is a user who has permission to log in remotely via ssh.

There seem to be bursts of this sort of activity every day or two, from

different addresses.

I only have a very limited number of users who are able to log in
ssh, and the users who can have good passwords, so I assume that the
of a successful breakin is low.

What concerns me is that the attackers seem to be able to retrieve the
of users on my system.  How do they do that, and how can I prevent it?

I am running Woody, with up-to-date patches, behind a cheap hardware
firewall-router.  Open ports are 22 (sshd), 25 (sendmail), 80 (apache),
(apache-ssl), 993 (courier-imap over ssl) and 995 (courier-pop over

Re: ssh: Repeated breakin attempts wrote:

Quoted text here. Click to load it

I get these all the time. Someone is trying to password guess into your
machine. I would suggest restricting only the user accounts that need ssh
access (look at AllowGroups in the sshd.conf file)


"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvald

"Trusted Computing" is a SCAM

Re: ssh: Repeated breakin attempts

Hash: SHA1

On mandag 2. mai 2005, 14:15 Michael Pelletier tried to express an opinion:

Quoted text here. Click to load it

As he mentioned, he is already doing that.

- --
Solbu -
Remove 'ugyldig' for email
PGP key ID: 0xFA687324
Version: GnuPG v1.2.1 (GNU/Linux)


Re: ssh: Repeated breakin attempts

Basicly, what is happening is that people are armed with list of names
and ssh bruteforce scanner that tries those names. You see them
"quessing your user accounts" because ssh makes different kind of log
entry when the account is valid and password aint compared to totally
bogus account and password..

Im pretty sure that there is no ssh box that has port 22 for public
access that hasnt been scanned with this method.. Weekly. For example,
few days ago, one italian host tried approx. 2300 different password /
account combinations.

Re: ssh: Repeated breakin attempts

AFAIK, the first group of messages doesn't indicate a break-in attempt
but just a fact that there is no reverse DNS lookup record for the
corresponding IP address.

As for passwords, remember you can disable passwords
at all and make users use ssh keys instead.  Thus even in
case a password is guessed this won't help a cracker to
log into your system.


Re: ssh: Repeated breakin attempts writes:

Quoted text here. Click to load it


OrgName:    Time Warner Telecom
OrgID:      TWTC
Address:    10475 Park Meadows Drive
City:       Littleton
StateProv:  CO
PostalCode: 80124
Country:    US

NetRange: -
NetHandle:  NET-64-132-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
RegDate:    2000-07-17
Updated:    2001-09-26

TechHandle: ZT87-ARIN
TechName:   Time Warner Telecom
TechPhone:  +1-800-898-6473

OrgAbuseHandle: TWTAD-ARIN
OrgAbuseName:   Time Warner Telecom Abuse Desk
OrgAbusePhone:  +1-800-898-6473

Re: ssh: Repeated breakin attempts wrote in news:1115026370.218553.184610

Quoted text here. Click to load it

That just means there is no DNS ptr record for that IP. Another poster
did a whois to tell you which ISP owns the address range. I guess you
could complain to the ISP if there are repeated attempts. If the address
happenned to be in Russia or China then good look with that. In this case
though it looks like a US based ISP so the complaint might be taken

If you are allowing SSH from the internet then you want to make sure  
that you are using good passwords at the very least. One thing you could
do to cut down on the annoyance level is to use iptables to block the
address ranges where you see the attacks sourced from (as long as you
don't end up blocking the legit users). Conversely, you could block all
source addresses except those that are legitimate for your users. The
processing overhead for iptables to drop an unwanted SYN packet will be a
lot less than getting as far as letting sshd process a bad login request.



Re: ssh: Repeated breakin attempts

On 2 May 2005 02:32:50 -0700,

Quoted text here. Click to load it

I have the EXACT same situation which has just cropped up in the last
couple of weeks. The usual script kiddie SSH attacks use lists of
common account names, but this "new" (to me, at any rate) attack is
being used against user names that are valid on my system (and which
are NOT common first names or account names).

Is there some new exploit that allows them to retrieve a list of valid

Re: ssh: Repeated breakin attempts

Quoted text here. Click to load it

I have some scant evidence that one or more scripts pull usernames from
spam lists. Were all of the accounts they tried also pop mail accounts?

Re: ssh: Repeated breakin attempts

On Wed, 30 Nov 2005 04:42:02 GMT, "Mr. Ellaneous"

Quoted text here. Click to load it

Well, yes, there is a POP3 server running on the machine, but the
account that the script kiddie tried is never used to send mail and
never receives mail from the outside world. The only reason I'm even
running QPopper is so that I can easily retrieve locally-generated
security reports from LogWatch.

In case it matters, the account that was tried is also an account that
is aliased to root in the mail aliases file.

Site Timeline