Back To Unix / Linux Forum

Spammed by FTP / SSH Connection attempts

  • Dark Uncle
  • Beginner
  • Beginner
  • No Avatar
  • Joined: Jun 21, 2005
  • Posts: 46
  • Status: Offline

Post August 17th, 2006, 12:03 pm

The company i work for has a dedicated server and when looking through the logs i see every couple of days it gets spammed by people trying to connect by FTP or SSH. It is mostly non-existant usernames they try to connect to however. Is this something to worry about and is there anything i can do about it?

I would appreciate any help people can give on this as it ahs me a little worried.


SSH - when it says possible breakin

Code: [ Select ]
Aug 17 17:33:09 SERVER_NAME sshd[3827]: Did not receive identification string from ::ffff:66.33.61.56
Aug 17 17:40:35 SERVER_NAME sshd[3892]: Invalid user jack from ::ffff:66.33.61.56
Aug 17 17:40:35 SERVER_NAME sshd[3892]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 17 17:40:37 SERVER_NAME sshd[3894]: Invalid user marvin from ::ffff:66.33.61.56
Aug 17 17:40:38 SERVER_NAME sshd[3894]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 17 17:40:38 SERVER_NAME sshd[3896]: Invalid user andres from ::ffff:66.33.61.56
Aug 17 17:40:38 SERVER_NAME sshd[3896]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 17 17:40:40 SERVER_NAME sshd[3898]: Invalid user barbara from ::ffff:66.33.61.56
Aug 17 17:40:40 SERVER_NAME sshd[3898]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 17 17:40:41 SERVER_NAME sshd[3900]: Invalid user adine from ::ffff:66.33.61.56
Aug 17 17:40:41 SERVER_NAME sshd[3900]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
Aug 17 17:40:42 SERVER_NAME sshd[3902]: Invalid user test from ::ffff:66.33.61.56
  1. Aug 17 17:33:09 SERVER_NAME sshd[3827]: Did not receive identification string from ::ffff:66.33.61.56
  2. Aug 17 17:40:35 SERVER_NAME sshd[3892]: Invalid user jack from ::ffff:66.33.61.56
  3. Aug 17 17:40:35 SERVER_NAME sshd[3892]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
  4. Aug 17 17:40:37 SERVER_NAME sshd[3894]: Invalid user marvin from ::ffff:66.33.61.56
  5. Aug 17 17:40:38 SERVER_NAME sshd[3894]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
  6. Aug 17 17:40:38 SERVER_NAME sshd[3896]: Invalid user andres from ::ffff:66.33.61.56
  7. Aug 17 17:40:38 SERVER_NAME sshd[3896]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
  8. Aug 17 17:40:40 SERVER_NAME sshd[3898]: Invalid user barbara from ::ffff:66.33.61.56
  9. Aug 17 17:40:40 SERVER_NAME sshd[3898]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
  10. Aug 17 17:40:41 SERVER_NAME sshd[3900]: Invalid user adine from ::ffff:66.33.61.56
  11. Aug 17 17:40:41 SERVER_NAME sshd[3900]: reverse mapping checking getaddrinfo for ns3.viocam.com failed - POSSIBLE BREAKIN ATTEMPT!
  12. Aug 17 17:40:42 SERVER_NAME sshd[3902]: Invalid user test from ::ffff:66.33.61.56


SSH - without the breaking stuff

Code: [ Select ]

Aug 16 11:49:14 SERVER_NAME sshd[29010]: Did not receive identification string from ::ffff:83.136.139.111
Aug 16 11:56:31 SERVER_NAME sshd[29012]: Invalid user admin from ::ffff:83.136.139.111
Aug 16 11:56:32 SERVER_NAME sshd[29014]: Invalid user admin from ::ffff:83.136.139.111
Aug 16 11:56:33 SERVER_NAME sshd[29016]: Invalid user admin from ::ffff:83.136.139.111
Aug 16 11:56:34 SERVER_NAME sshd[29018]: Invalid user administrator from ::ffff:83.136.139.111
Aug 16 11:56:35 SERVER_NAME sshd[29020]: Invalid user jack from ::ffff:83.136.139.111
Aug 16 11:56:40 blackcase sshd[29032]: Invalid user guest from ::ffff:83.136.139.111
Aug 16 11:56:44 SERVER_NAME sshd[29035]: Invalid user db from ::ffff:83.136.139.111
Aug 16 11:56:45 SERVER_NAME sshd[29038]: Invalid user ahmed from ::ffff:83.136.139.111

...

Aug 16 12:03:42 SERVER_NAME sshd[29561]: fatal: Timeout before authentication for ::ffff:83.136.139.111
  2. Aug 16 11:49:14 SERVER_NAME sshd[29010]: Did not receive identification string from ::ffff:83.136.139.111
  3. Aug 16 11:56:31 SERVER_NAME sshd[29012]: Invalid user admin from ::ffff:83.136.139.111
  4. Aug 16 11:56:32 SERVER_NAME sshd[29014]: Invalid user admin from ::ffff:83.136.139.111
  5. Aug 16 11:56:33 SERVER_NAME sshd[29016]: Invalid user admin from ::ffff:83.136.139.111
  6. Aug 16 11:56:34 SERVER_NAME sshd[29018]: Invalid user administrator from ::ffff:83.136.139.111
  7. Aug 16 11:56:35 SERVER_NAME sshd[29020]: Invalid user jack from ::ffff:83.136.139.111
  8. Aug 16 11:56:40 blackcase sshd[29032]: Invalid user guest from ::ffff:83.136.139.111
  9. Aug 16 11:56:44 SERVER_NAME sshd[29035]: Invalid user db from ::ffff:83.136.139.111
  10. Aug 16 11:56:45 SERVER_NAME sshd[29038]: Invalid user ahmed from ::ffff:83.136.139.111
  12. ...
  14. Aug 16 12:03:42 SERVER_NAME sshd[29561]: fatal: Timeout before authentication for ::ffff:83.136.139.111


FTP - Usually they try a range of names but this guy tried only the one

Code: [ Select ]
Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session opened.
Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - no such user 'anonymous'
Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - USER anonymous: no such user found from 80-41-239-63.dynamic.dsl.as9105.com [80.41.239.63] to 172.16.8.1:21
Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session closed.
Jul 31 20:26:03 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session opened.
Jul 31 20:26:04 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - no such user 'anonymous'
Jul 31 20:26:04 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - USER anonymous: no such user found from 80-41-239-63.dynamic.dsl.as9105.com [80.41.239.63] to 172.16.8.1:21
Jul 31 20:26:04 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session closed.
Jul 31 20:26:22 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session opened.
Jul 31 20:26:22 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - no such user 'anonymous'
Jul 31 20:26:22 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - USER anonymous: no such user found from 80-41-239-63.dynamic.dsl.as9105.com [80.41.239.63] to 172.16.8.1:21
Jul 31 20:26:23 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session closed.
  1. Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session opened.
  2. Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - no such user 'anonymous'
  3. Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - USER anonymous: no such user found from 80-41-239-63.dynamic.dsl.as9105.com [80.41.239.63] to 172.16.8.1:21
  4. Jul 31 20:25:53 SERVER_NAME proftpd[6135]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session closed.
  5. Jul 31 20:26:03 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session opened.
  6. Jul 31 20:26:04 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - no such user 'anonymous'
  7. Jul 31 20:26:04 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - USER anonymous: no such user found from 80-41-239-63.dynamic.dsl.as9105.com [80.41.239.63] to 172.16.8.1:21
  8. Jul 31 20:26:04 SERVER_NAME proftpd[6136]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session closed.
  9. Jul 31 20:26:22 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session opened.
  10. Jul 31 20:26:22 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - no such user 'anonymous'
  11. Jul 31 20:26:22 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - USER anonymous: no such user found from 80-41-239-63.dynamic.dsl.as9105.com [80.41.239.63] to 172.16.8.1:21
  12. Jul 31 20:26:23 SERVER_NAME proftpd[6137]: blackcase.colocation (80-41-239-63.dynamic.dsl.as9105.com[80.41.239.63]) - FTP session closed.
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post August 17th, 2006, 12:03 pm

  • Dark Uncle
  • Beginner
  • Beginner
  • No Avatar
  • Joined: Jun 21, 2005
  • Posts: 46
  • Status: Offline

Post September 8th, 2006, 6:54 am

thanks for all the useful replies :)
  • this213
  • Guru
  • Guru
  • User avatar
  • Joined: Mar 01, 2004
  • Posts: 1242
  • Loc: ./
  • Status: Offline

Post September 8th, 2006, 7:07 am

If you don't need FTP running, shut it down. If you do need FTP running, remove proftp and install vsftpd and configure it to jail users.

For SSH, if it doesn't have to be publicly accessible, make sure your blocking port 22 in your firewall. If it does have to be publicly accessible move it to a non-standard port. If the machine only requires a few users to be able to connect through SSH, define which those are in your sshd_config.
http://www.disabo.com
  • Dark Uncle
  • Beginner
  • Beginner
  • No Avatar
  • Joined: Jun 21, 2005
  • Posts: 46
  • Status: Offline

Post September 8th, 2006, 7:36 am

why vsftpd specifically, is it more secure than proftpd?
  • this213
  • Guru
  • Guru
  • User avatar
  • Joined: Mar 01, 2004
  • Posts: 1242
  • Loc: ./
  • Status: Offline

Post September 8th, 2006, 8:13 am

"Very Secure FTP Daemon" is recommended for security and performance and used by some of the highest trafficked ftp sites out there such as ftp.redhat.com, ftp.openbsd.org and ftp.suse.com. It's easy to configure (so harder to mess up) and it's very fast.

As to proftpd, at the moment I think if you're using the current version (1.3.x) you should be OK, but: http://xforce.iss.net/xforce/alerts/id/154
http://www.disabo.com

Page 1 of 1

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 113 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.