Hi,when I logged in today this is what I got.Is someone trying to hack into my system?And whst do I do?This the message I got:
(193 messages not shown)
oct/07/2005 12:08:02 system,error,critical login failure for user amanda from 21
0.125.133.51 via ssh
oct/07/2005 12:08:08 system,error,critical login failure for user amazing from 2
10.125.133.51 via ssh
oct/07/2005 12:08:15 system,error,critical login failure for user amber from 210
.125.133.51 via ssh
oct/07/2005 12:08:21 system,error,critical login failure for user american from
210.125.133.51 via ssh
oct/07/2005 12:08:28 system,error,critical login failure for user amit from 210.
125.133.51 via ssh
oct/07/2005 12:08:35 system,error,critical login failure for user amy from 210.1
25.133.51 via ssh
oct/07/2005 12:08:41 system,error,critical login failure for user anand from 210
.125.133.51 via ssh
oct/07/2005 12:08:48 system,error,critical login failure for user anderson from
210.125.133.51 via ssh
SSH attack
Looks you have SSH setup as a public-accessible service, and someone is trying to get in. This type of attack has become more and more popular recently with SSH.
My recommendation to you is to set up SSH so only the necessary hosts can access it. You would usually do this in /ip firewall rule input, and set up some rules like this:
Also, you might want to inform the administer of the attacking host, and have him/her stop the attack. A simple 'whois' will tell you who owns that block of IP addresses, complete with contact information.
Hope this helps.
My recommendation to you is to set up SSH so only the necessary hosts can access it. You would usually do this in /ip firewall rule input, and set up some rules like this:
Code: Select all
1 ;;; accept ssh from my first server
in-interface=External src-address=xx.xx.xx.xx dst-address=:22 protocol=tcp action=accept
2 ;;; allow HTTPS connection from my other server
in-interface=External src-address=yy.yy.yy.yy dst-address=:443 protocol=tcp action=accept
... (some other rules)
10 ;;; drop everything else
in-interface=External protocol=tcp action=dropHope this helps.
Hmm...I also get this on my 2.9 routers but I never had it and still don't get it on 2.8. Is this just because it is not being logged by default on 2.8?
Also, if this is a brute force attack, why does the username change every time, why not just the password? Surely that would have a better chance of success?
Also, if this is a brute force attack, why does the username change every time, why not just the password? Surely that would have a better chance of success?
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
Guy
If you've got port 22 open to the Internet then you'll be getting this even if it's not logged.
The program that does this has a list of common user names and passwords. Most are oriented towards Unix systems e.g. root:root, root:god, mysql:mysql etc...etc...etc. I've even had this from an Italian system that used a list of Italian names so not much chance of success running that against a UK system!
Provided you have suitably complex passwords and are not allowing root to log in using SSH then it's an annoyance rather than a serious threat.
Regards
Andrew
If you've got port 22 open to the Internet then you'll be getting this even if it's not logged.
The program that does this has a list of common user names and passwords. Most are oriented towards Unix systems e.g. root:root, root:god, mysql:mysql etc...etc...etc. I've even had this from an Italian system that used a list of Italian names so not much chance of success running that against a UK system!
Provided you have suitably complex passwords and are not allowing root to log in using SSH then it's an annoyance rather than a serious threat.
Regards
Andrew
Thanks for the advice, Andrew.
I was also able to find out a little more about this type of attack here:
http://www.whitedust.net/article/27/Rec ... 20Attacks/
Cheers.
I was also able to find out a little more about this type of attack here:
http://www.whitedust.net/article/27/Rec ... 20Attacks/
Cheers.