#!/dev/random

This weekend I caught a bot trying to get into my server using ssh. This was what I saw in my log file:

Nov 24 21:15:53 mini sshd[55670]: error: PAM: authentication error for root from 200.106.67.47 via 192.168.1.2
Nov 24 21:15:54 mini sshd[55682]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Nov 24 21:15:54 mini sshd[55670]: error: PAM: authentication error for root from 200.106.67.47 via 192.168.1.2
Nov 24 21:15:54 mini sshd[55687]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Nov 24 21:15:54 mini sshd[55670]: error: PAM: authentication error for root from 200.106.67.47 via 192.168.1.2
...
Nov 24 21:15:56 mini sshd[55670]: Failed keyboard-interactive/pam for root from 200.106.67.47 port 4910 ssh2
Nov 24 21:16:09 mini sshd[55715]: reverse mapping checking getaddrinfo for client-200.106.67.47.speedy.net.pe [200.106.67.47] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 15:30:35 mini sshd[92616]: Address 212.156.122.94 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 18:57:19 mini sshd[1595]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
...
Nov 25 18:57:20 mini sshd[1605]: Invalid user camilla from 81.181.90.106
Nov 25 18:57:20 mini sshd[1611]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 18:57:21 mini sshd[1615]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 18:57:21 mini sshd[1619]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 18:57:21 mini sshd[1619]: Invalid user vava from 81.181.90.106
Nov 25 18:57:22 mini sshd[1625]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 18:57:22 mini sshd[1625]: Invalid user vava from 81.181.90.106
Nov 25 18:57:23 mini sshd[1631]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
...
Nov 25 19:31:46 mini sshd[8201]: User postgres not allowed because shell /dev/null is not executable
Nov 25 19:31:46 mini sshd[8207]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 19:31:46 mini sshd[8207]: User postgres not allowed because shell /dev/null is not executable
Nov 25 19:31:47 mini sshd[8213]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 19:31:47 mini sshd[8213]: User postgres not allowed because shell /dev/null is not executable
Nov 25 19:31:47 mini sshd[8219]: Address 81.181.90.106 maps to host2.openmind.is.ew.ro, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
...

These are just some snippets from the log (/var/log/secure.log).
If one of these IP addresses is you then get those trojans of your computer.

Counter measures

Thanks to well chosen passwords, none of my accounts seemed to be compromised. Nevertheless I disabled password login for ssh. This is how it’s done:

1. Make sure public key authentication works. If it doesn’t you will lock yourself out when disabling password authentication.
2. Open /etc/sshd_config with your favorite editor.
3. Uncomment the line where it says “PasswordAuthentication no”
4. Disable ssh’s PAM support by uncommenting the line “UsePAM no”
5. Restart sshd

Now ssh now longer accepts password authentication and hackers can try to guess passwords as long as they want.

NB: Since disabling password authentication the attacks continue. At least I’m confident there are no passwords to be guessed. I’m still searching for a way to dynamicly block these ip addresses with the firewall.