Login SSH2

colinkent · December 27, 2010, 5:35pm

I have noticed a attemted hack and the log file shows:-

Dec 27 15:40:22 hp2 sshd[24142]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root
Dec 27 15:40:25 hp2 sshd[24142]: Failed password for root from 222.73.68.13 port 49069 ssh2
Dec 27 15:40:25 hp2 sshd[24143]: Received disconnect from 222.73.68.13: 11: Bye Bye
Dec 27 15:40:29 hp2 sshd[24144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root
Dec 27 15:40:30 hp2 sshd[24144]: Failed password for root from 222.73.68.13 port 49510 ssh2
Dec 27 15:40:30 hp2 sshd[24145]: Received disconnect from 222.73.68.13: 11: Bye Bye
Dec 27 15:40:33 hp2 sshd[24146]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root
Dec 27 15:40:35 hp2 sshd[24146]: Failed password for root from 222.73.68.13 port 49843 ssh2
Dec 27 15:40:36 hp2 sshd[24147]: Received disconnect from 222.73.68.13: 11: Bye Bye
Dec 27 15:40:39 hp2 sshd[24148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.13 user=root
Dec 27 15:40:41 hp2 sshd[24148]: Failed password for root from 222.73.68.13 port 50227 ssh2
Dec 27 15:40:41 hp2 sshd[24149]: Received disconnect from 222.73.68.13: 11: Bye Bye

What I am no sure about is ssh2 and why the port is random or is this the originating port? I have ssh setup but in the firewall settings it is locked to my IP address? Can any one tell me how to lock this down?

Is there any way if a virtualmin password has been entered incorrectally so many time can the user be automattically black listed??

Thanks
Colin

Locutus · December 27, 2010, 6:43pm

My assumption is that the “random port” is the source port number used by the remote system to connect to your port 22, and SSH2 is the protocol version (there’s two major versions of SSH, SSH1 and SSH2).

Locking stuff like this down is a fight against windmills. Let them try to guess your passwords - you can’t keep them from doing so, and if your passwords are sufficiently secure, there’s no danger.

The easiest way to reduce the amount of log entries like these is to use a non-standard port for SSH.

colinkent · December 27, 2010, 7:19pm

Yes Locutus you are correct they are tring brute force on SFTP. I have seen settings in Webmin Configuration/Authentication there is a setting for block host with x number of fail logins. Dose this apply to FTP or just webmin login? as this dose not seem to be working?

Thanks
Colin

Locutus · December 28, 2010, 11:16pm

It most likely only applies to Webmin. If at all, an appropriate setting for SSH could be found in the SSH Server module, though I’m not aware that the usual SSH daemon has such a feature.