I currently get about 5 Brute force attacks a day and find that the attacks never seem to target port 22 (default SSH port).

Is that odd? Seems to me that port 22 is more secure since no one ever trys it lol.

Some script kiddies don't even know what SSH is LOL

My attacks were always on port 22. They stopped once I changed the SSH port to something above 1024.

Beginner question:
Where do you look to see and identify these attacks?
:confused:

Cheers

would be at your email if its set up to send you e-mail or at logs files
/var/log
if you do have some brute force program installed like BDF

type at ssh if im not wrong.
tail -f /var/log/bdf

type at ssh if im not wrong.
tail -f /var/log/bdfthe path of the logs look fine, but the command should beroot@host [~]# tail -f /var/log/bfd_log

vince,
BFD sends me an email everytime it adds an IP to the firewall. I currently have it running every 10 minutes (which I intend to get around to changing to daemon), and with it set to 10 min, I quite often get 100's of attempts.

I have yet to see an attempt being made on a port with less than 5 digits. ie 45123, or 32345, etc.

The majority of attacks do seem to target the "root" user though, so i've set out to disable root login.

They also target common names and words, so Ive decided from now on I will make user names created on the server that include a number and are not dictionary words.

Same here (strange port attempts), and there are some damn strange name attempts too.

Tried [~]# tail -f /var/log/bfd_log but it just hangs there doing nothing :confused:

I used sftp to download bfd_log.1 bfd_log.2 and so on, and they are empty, zero bytes.

Does that mean all is fine?

Thanks

Check /var/log/secure or secure.1 etc
Look for "Invalid user xxx from xxx.xxx.xxx.xxx"

If you have a bunch of those from the same IP, then BFD is not setup properly. (ie could be that it isn't working at all, or you have the allowed attempts too high)

vps-vince, the tail command without any output means that you have no brute force attempts logged. just click control+c to stop the tail.

Athira.
PowerVPS Support

Hi Athira,
Sorry but are you saying I have bfd but no logging enabled, or no bfd at all?
I was under the impression that it was part of standard setup as per here:
http://forums.deftechgroup.com/showthread.php?t=26

Should I open a ticket?

Thanks,

- Vince

It just means that there is no brute force attempt that BFD caught, nothing more.

vps-vince,
To confirm, check your secure logs as I mentioned.
However my experience with BFD is that I had to ask support to get it working.
They might install it, but it didn't work for me "out of the box".

Send support a quick note, they are helpful and quick.

Do you guys really have that many SSH attempts?

Check /var/log/secure or secure.1 etc
Look for "Invalid user xxx from xxx.xxx.xxx.xxx"

If you have a bunch of those from the same IP, then BFD is not setup properly. (ie could be that it isn't working at all, or you have the allowed attempts too high)

I checked and searched for 'invalid' but noting there. However, I do have many entries with 'illegal user' and 'Failed password'

Oct 1 16:59:56 usa sshd[9780]: Failed password for illegal user dirk from 213.147.163.162 port 55751 ssh2
Oct 1 16:59:57 usa sshd[9806]: Illegal user dirk from 213.147.163.162

Many entries like this one, with multiple attempts on different ports and usernames.

- Vince

i had the same problem... it didn't worked out of the box...

I was monitoring my log files and i noticed that i had few attempts on my ssh that should have been blocked by bfd...

i asked support to be sure about it... because i was sure bfd was running every X minutes with cron...

They updated the bfd to the latest version... and it's now working fine... I received two emails since then...

uhm, mine is dated march 2005, so maybe I'll also ask for an update before starting to figure out any issues.

It also seems you cannot set it to block after xx of attempts.

- Vince

I wasn't aware of BFD until recently, so had setup DenyHosts (http://forums.deftechgroup.com/showthread.php?t=726), and it seems to be running quite well for me, and can block after xx attempts - you can even configure how many attempts it'll allow before blocking an ip, with options for # of invalid username attempts, # of valid username attempts and # of root attempts before blocking.

do you know the ressource usage difference between bfd and denyhosts ??

A problem i see with is that BFD will run every 5 minutes (for example), so an attack can last until 5 minutes. An attacker can know when it will run easily by trying many attempts on ssh and then, see what was the exact minute he was banned. He tries another proxy, attacks again and see when he was banned. He can now know that we have something like BFD running every 5 minutes and plan his attacks...

Fred,
would it help if you changed the BFD cron times each day using a script?
say 1st day it runs every 3 mins at 3,6,9....57,60th min every hour....
next day it runs every 5 mins at 2,7,12....52,57th min every hour
so on and so forth.....(one important fact is that all the above happens randomly...so some day it runs every 3 mins...another day every 4 mins and yet another day every 5 mins)

Append: Hope this works fine#!/bin/sh
croncommand='/usr/local/sbin/bfd -q'
cronfile='/etc/cron.d/bfd'
let "interval = 3 + ($RANDOM % 3)"
let "lowval = $RANDOM % ($interval - 1)"
let "highval = 60 - $interval + $lowval"
echo "MAILTO=" > $cronfile
echo "SHELL=/bin/sh" >> $cronfile
echo "$lowval-$highval/$interval * * * * root $croncommand" >> $cronfile