So, It’s been a while since I’ve set up my home server to use it as a swiss army knife at home and on the road.
Now I was wondering on the system’s integrity.
First step was checking /var/log/auth.log
To do some quick’n’dirty check I’ve ran the following command
grep “Invalid user” /var/log/auth.log | less
This resulted in quite a nice list:
Mar 13 20:13:21 tuxbox sshd[31985]: Invalid user oracle from 82.165.193.197
Mar 13 20:13:21 tuxbox sshd[31988]: Invalid user test from 82.165.193.197
Mar 13 20:13:24 tuxbox sshd[32001]: Invalid user demon from 82.165.193.197
Mar 13 20:13:25 tuxbox sshd[32007]: Invalid user test from 82.165.193.197
Mar 13 20:13:26 tuxbox sshd[32011]: Invalid user abcd from 82.165.193.197
Mar 13 20:13:26 tuxbox sshd[32014]: Invalid user abc from 82.165.193.197
Mar 13 20:13:27 tuxbox sshd[32017]: Invalid user tt from 82.165.193.197
Mar 14 07:44:29 tuxbox sshd[22844]: Invalid user adi from 124.232.130.2
Mar 14 07:44:32 tuxbox sshd[22854]: Invalid user salina from 124.232.130.2
Mar 14 07:44:35 tuxbox sshd[22865]: Invalid user cadi from 124.232.130.2
Mar 14 07:44:37 tuxbox sshd[22863]: Invalid user adi from 124.232.130.2
Mar 14 07:44:39 tuxbox sshd[22876]: Invalid user inger from 124.232.130.2
Mar 14 07:44:43 tuxbox sshd[22888]: Invalid user adi from 124.232.130.2
Mar 14 07:44:43 tuxbox sshd[22883]: Invalid user cady from 124.232.130.2
Mar 14 07:44:45 tuxbox sshd[22895]: Invalid user adis from 124.232.130.2
Mar 14 07:44:48 tuxbox sshd[22907]: Invalid user muie from 124.232.130.2
Mar 14 07:44:49 tuxbox sshd[22911]: Invalid user cai from 124.232.130.2
Mar 14 07:44:52 tuxbox sshd[22917]: Invalid user alesa from 124.232.130.2
Mar 14 07:44:54 tuxbox sshd[22929]: Invalid user muie from 124.232.130.2
Mar 14 07:44:55 tuxbox sshd[22932]: Invalid user cailin from 124.232.130.2
Mar 14 07:44:58 tuxbox sshd[22944]: Invalid user foster from 124.232.130.2
Mar 14 07:45:04 tuxbox sshd[22969]: Invalid user braila from 124.232.130.2
Mar 14 07:45:09 tuxbox sshd[22984]: Invalid user domnul from 124.232.130.2
Mar 14 07:45:15 tuxbox sshd[23000]: Invalid user conor from 124.232.130.2
Mar 14 07:45:24 tuxbox sshd[23014]: Invalid user excalibur from 124.232.130.2
Mar 14 07:45:30 tuxbox sshd[23037]: Invalid user soft from 124.232.130.2
Mar 14 07:45:36 tuxbox sshd[23050]: Invalid user peste from 124.232.130.2
Mar 14 07:45:42 tuxbox sshd[23063]: Invalid user lookoo from 124.232.130.2
Mar 14 07:45:47 tuxbox sshd[23077]: Invalid user trandafir from 124.232.130.2
Mar 14 07:45:57 tuxbox sshd[23099]: Invalid user dinamo from 124.232.130.2
Mar 14 07:46:05 tuxbox sshd[23116]: Invalid user steaua from 124.232.130.2
Mar 14 07:46:10 tuxbox sshd[23134]: Invalid user frati from 124.232.130.2
Mar 14 07:46:16 tuxbox sshd[23147]: Invalid user colombo from 124.232.130.2
Mar 14 09:53:53 tuxbox sshd[7154]: Invalid user direccion from 118.69.202.195
Mar 14 10:09:31 tuxbox sshd[9634]: Invalid user simon from 118.69.202.195
Mar 14 10:09:35 tuxbox sshd[9643]: Invalid user server from 118.69.202.195
Mar 14 10:09:38 tuxbox sshd[9652]: Invalid user linux from 118.69.202.195
Mar 14 10:09:43 tuxbox sshd[9660]: Invalid user info from 118.69.202.195
Mar 14 10:09:50 tuxbox sshd[9681]: Invalid user operator from 118.69.202.195
Mar 14 10:09:55 tuxbox sshd[9690]: Invalid user guest from 118.69.202.195
Mar 14 10:09:59 tuxbox sshd[9709]: Invalid user webadmin from 118.69.202.195
Mar 14 10:10:05 tuxbox sshd[9722]: Invalid user user from 118.69.202.195
Mar 14 10:10:09 tuxbox sshd[9732]: Invalid user user from 118.69.202.195
Mar 14 10:10:12 tuxbox sshd[9741]: Invalid user ftp from 118.69.202.195
Mar 14 10:10:16 tuxbox sshd[9750]: Invalid user oracle from 118.69.202.195
Mar 14 10:10:19 tuxbox sshd[9759]: Invalid user oracle from 118.69.202.195
Mar 14 10:10:23 tuxbox sshd[9769]: Invalid user test from 118.69.202.195
Mar 14 10:10:28 tuxbox sshd[9781]: Invalid user soporte from 118.69.202.195
Mar 14 10:10:31 tuxbox sshd[9789]: Invalid user postgres from 118.69.202.195
Mar 14 10:10:34 tuxbox sshd[9798]: Invalid user henry from 118.69.202.195
Mar 14 10:10:38 tuxbox sshd[9806]: Invalid user admin from 118.69.202.195
Mar 14 10:10:41 tuxbox sshd[9816]: Invalid user test from 118.69.202.195
Mar 14 10:10:45 tuxbox sshd[9824]: Invalid user user1 from 118.69.202.195
Mar 14 10:10:48 tuxbox sshd[9838]: Invalid user user2 from 118.69.202.195
Mar 14 10:10:52 tuxbox sshd[9847]: Invalid user user3 from 118.69.202.195
Mar 14 10:10:55 tuxbox sshd[9856]: Invalid user user4 from 118.69.202.195
Mar 14 10:10:59 tuxbox sshd[9870]: Invalid user username from 118.69.202.195
Mar 14 10:11:02 tuxbox sshd[9879]: Invalid user username from 118.69.202.195
Mar 14 10:11:06 tuxbox sshd[9888]: Invalid user testing from 118.69.202.195
Mar 14 10:11:09 tuxbox sshd[9897]: Invalid user webadmin from 118.69.202.195
Mar 14 10:11:12 tuxbox sshd[9905]: Invalid user trixbox1 from 118.69.202.195
Mar 14 10:11:15 tuxbox sshd[9914]: Invalid user testing from 118.69.202.195
Mar 14 10:11:19 tuxbox sshd[9922]: Invalid user test from 118.69.202.195
Mar 14 10:11:24 tuxbox sshd[9931]: Invalid user xbox from 118.69.202.195
Mar 14 10:11:27 tuxbox sshd[9943]: Invalid user mysql from 118.69.202.195
Mar 14 10:11:31 tuxbox sshd[9952]: Invalid user mysql from 118.69.202.195
Mar 14 10:11:34 tuxbox sshd[9961]: Invalid user mysql from 118.69.202.195
Mar 14 10:11:37 tuxbox sshd[9973]: Invalid user mysql from 118.69.202.195
Mar 14 10:11:49 tuxbox sshd[9999]: Invalid user oracle from 118.69.202.195
Mar 14 10:11:53 tuxbox sshd[10012]: Invalid user phpl from 118.69.202.195
Mar 14 10:11:56 tuxbox sshd[10021]: Invalid user user from 118.69.202.195
Mar 14 10:12:00 tuxbox sshd[10030]: Invalid user maggie from 118.69.202.195
Mar 14 10:12:03 tuxbox sshd[10039]: Invalid user usuario from 118.69.202.195
Mar 14 10:12:07 tuxbox sshd[10048]: Invalid user usuario from 118.69.202.195
Mar 14 10:12:10 tuxbox sshd[10056]: Invalid user usuario from 118.69.202.195
Mar 14 10:12:13 tuxbox sshd[10065]: Invalid user user from 118.69.202.195
Mar 14 10:12:17 tuxbox sshd[10074]: Invalid user user from 118.69.202.195
Mar 14 10:12:20 tuxbox sshd[10082]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:23 tuxbox sshd[10091]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:27 tuxbox sshd[10100]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:31 tuxbox sshd[10114]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:34 tuxbox sshd[10124]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:38 tuxbox sshd[10132]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:41 tuxbox sshd[10141]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:45 tuxbox sshd[10151]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:48 tuxbox sshd[10160]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:52 tuxbox sshd[10169]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:56 tuxbox sshd[10177]: Invalid user oracle from 118.69.202.195
Mar 14 10:12:59 tuxbox sshd[10188]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:03 tuxbox sshd[10196]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:08 tuxbox sshd[10205]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:11 tuxbox sshd[10218]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:15 tuxbox sshd[10227]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:19 tuxbox sshd[10241]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:23 tuxbox sshd[10250]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:26 tuxbox sshd[10260]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:30 tuxbox sshd[10269]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:33 tuxbox sshd[10278]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:37 tuxbox sshd[10287]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:40 tuxbox sshd[10296]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:44 tuxbox sshd[10304]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:47 tuxbox sshd[10314]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:51 tuxbox sshd[10323]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:55 tuxbox sshd[10332]: Invalid user oracle from 118.69.202.195
Mar 14 10:13:59 tuxbox sshd[10342]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:02 tuxbox sshd[10352]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:06 tuxbox sshd[10361]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:09 tuxbox sshd[10374]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:12 tuxbox sshd[10382]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:15 tuxbox sshd[10390]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:19 tuxbox sshd[10399]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:22 tuxbox sshd[10408]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:26 tuxbox sshd[10417]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:29 tuxbox sshd[10426]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:33 tuxbox sshd[10435]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:36 tuxbox sshd[10443]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:39 tuxbox sshd[10452]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:43 tuxbox sshd[10460]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:46 tuxbox sshd[10469]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:49 tuxbox sshd[10478]: Invalid user oracle from 118.69.202.195
Mar 14 10:14:53 tuxbox sshd[10487]: Invalid user oracle from 118.69.202.195
Mar 14 10:15:03 tuxbox sshd[10504]: Invalid user oracle from 118.69.202.195
Mar 14 17:53:46 tuxbox sshd[4219]: Invalid user test from 81.1.192.16
Mar 14 17:53:48 tuxbox sshd[4224]: Invalid user testuser from 81.1.192.16
Mar 14 17:53:49 tuxbox sshd[4229]: Invalid user test1 from 81.1.192.16
Mar 14 17:53:50 tuxbox sshd[4234]: Invalid user test from 81.1.192.16
Mar 14 17:53:52 tuxbox sshd[4238]: Invalid user test from 81.1.192.16
Mar 14 17:53:53 tuxbox sshd[4243]: Invalid user test from 81.1.192.16
Mar 14 17:53:55 tuxbox sshd[4248]: Invalid user testing from 81.1.192.16
Mar 14 17:54:03 tuxbox sshd[4276]: Invalid user admin from 81.1.192.16
Mar 14 17:54:04 tuxbox sshd[4281]: Invalid user admin from 81.1.192.16
Mar 14 17:54:06 tuxbox sshd[4286]: Invalid user admin from 81.1.192.16
Mar 14 17:55:01 tuxbox sshd[4486]: Invalid user jeep from 81.1.192.16
Mar 14 17:55:02 tuxbox sshd[4490]: Invalid user alan from 81.1.192.16
Mar 14 17:55:03 tuxbox sshd[4495]: Invalid user jim from 81.1.192.16
Mar 14 17:55:05 tuxbox sshd[4500]: Invalid user postgres from 81.1.192.16
Mar 14 17:55:06 tuxbox sshd[4505]: Invalid user stuff from 81.1.192.16
Mar 14 17:55:08 tuxbox sshd[4509]: Invalid user tom from 81.1.192.16
Mar 14 17:55:09 tuxbox sshd[4514]: Invalid user adam from 81.1.192.16
Mar 14 17:55:13 tuxbox sshd[4528]: Invalid user gov from 81.1.192.16
Mar 14 17:55:16 tuxbox sshd[4538]: Invalid user pgsql from 81.1.192.16
Mar 14 17:55:17 tuxbox sshd[4542]: Invalid user adm from 81.1.192.16
Mar 14 17:55:20 tuxbox sshd[4552]: Invalid user postgres from 81.1.192.16
Mar 14 17:55:23 tuxbox sshd[4561]: Invalid user email from 81.1.192.16
Mar 14 17:55:24 tuxbox sshd[4566]: Invalid user oracle from 81.1.192.16
Mar 14 17:55:25 tuxbox sshd[4571]: Invalid user users from 81.1.192.16
Mar 14 17:55:27 tuxbox sshd[4576]: Invalid user user from 81.1.192.16
Mar 14 17:55:28 tuxbox sshd[4580]: Invalid user test from 81.1.192.16
Mar 14 17:55:30 tuxbox sshd[4585]: Invalid user david from 81.1.192.16
Mar 14 17:55:31 tuxbox sshd[4590]: Invalid user lynx from 81.1.192.16
Mar 14 17:55:32 tuxbox sshd[4595]: Invalid user music from 81.1.192.16
Mar 14 17:55:34 tuxbox sshd[4599]: Invalid user user from 81.1.192.16
Mar 14 17:55:35 tuxbox sshd[4604]: Invalid user user from 81.1.192.16
Mar 14 17:55:36 tuxbox sshd[4609]: Invalid user user from 81.1.192.16
Mar 14 17:55:38 tuxbox sshd[4614]: Invalid user user from 81.1.192.16
Mar 14 17:55:39 tuxbox sshd[4618]: Invalid user rpcuser from 81.1.192.16
Mar 14 17:55:41 tuxbox sshd[4623]: Invalid user rpcuser from 81.1.192.16
Mar 14 17:55:42 tuxbox sshd[4628]: Invalid user guest from 81.1.192.16
Mar 14 17:56:31 tuxbox sshd[4808]: Invalid user apple from 81.1.192.16
Mar 14 17:56:36 tuxbox sshd[4823]: Invalid user brian from 81.1.192.16
Mar 14 17:56:43 tuxbox sshd[4852]: Invalid user log from 81.1.192.16
Mar 14 17:56:45 tuxbox sshd[4857]: Invalid user qmailq from 81.1.192.16
Mar 14 17:56:46 tuxbox sshd[4862]: Invalid user qscand from 81.1.192.16
Mar 14 17:56:52 tuxbox sshd[4881]: Invalid user rosa from 81.1.192.16
Mar 14 17:56:53 tuxbox sshd[4885]: Invalid user rosa from 81.1.192.16
Mar 14 17:57:44 tuxbox sshd[5071]: Invalid user video from 81.1.192.16
Mar 14 17:57:45 tuxbox sshd[5075]: Invalid user admin from 81.1.192.16
Mar 14 17:59:19 tuxbox sshd[5406]: Invalid user guset from 81.1.192.16
Mar 14 17:59:32 tuxbox sshd[5454]: Invalid user guest from 81.1.192.16
Mar 14 18:00:30 tuxbox sshd[5658]: Invalid user apache from 81.1.192.16
Mar 14 18:00:31 tuxbox sshd[5663]: Invalid user david from 81.1.192.16
Mar 14 18:00:33 tuxbox sshd[5668]: Invalid user web from 81.1.192.16
Mar 14 18:00:34 tuxbox sshd[5673]: Invalid user cyberjohn from 81.1.192.16
etc…
As long as you have a towel, there’s no need to panic!
I studied the log in detail and there were luckily no successful logins other than my own (with a valid keypair).
Quick solution to do a first line of defense:
sudo apt-get install denyhosts
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
Now the only thing I needed to do next was configure DenyHosts so that it’ll sync the known blocked ip’s from the official DenyHosts database.
How to do this is well explained in the configuration file.
sudo nano /etc/denyhosts.conf
You can set the email, purge and sync options.
Adjust like you want.
After not such a long time you can list the denied hosts as follows:
sudo less /etc/hosts.deny