Few minutes ago my sshd was bruteforced by one of your accounts, namely li123-111.members.linode.com.
Looks like it has been hacked.

Here's a snipplet of auth.log (notice, that log time is gmt+10):

Feb  6 14:18:04 samolet sshd[10763]: Invalid user students from 69.164.208.111                                                                                                      
Feb  6 14:18:04 samolet sshd[10763]: pam_unix(sshd:auth): check pass; user unknown                                                                                                  
Feb  6 14:18:04 samolet sshd[10763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com                           
Feb  6 14:18:06 samolet sshd[10763]: Failed password for invalid user students from 69.164.208.111 port 47634 ssh2                                                                  
Feb  6 14:18:08 samolet sshd[10765]: Invalid user students from 69.164.208.111                                                                                                      
Feb  6 14:18:08 samolet sshd[10765]: pam_unix(sshd:auth): check pass; user unknown                                                                                                  
Feb  6 14:18:08 samolet sshd[10765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com                           
Feb  6 14:18:10 samolet sshd[10765]: Failed password for invalid user students from 69.164.208.111 port 49052 ssh2                                                                  
Feb  6 14:18:12 samolet sshd[10767]: Invalid user students from 69.164.208.111                                                                                                      
Feb  6 14:18:12 samolet sshd[10767]: pam_unix(sshd:auth): check pass; user unknown                                                                                                  
Feb  6 14:18:12 samolet sshd[10767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com                           
Feb  6 14:18:14 samolet sshd[10767]: Failed password for invalid user students from 69.164.208.111 port 50710 ssh2
Feb  6 14:18:17 samolet sshd[10769]: Invalid user students from 69.164.208.111
Feb  6 14:18:17 samolet sshd[10769]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:17 samolet sshd[10769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:19 samolet sshd[10769]: Failed password for invalid user students from 69.164.208.111 port 52243 ssh2
Feb  6 14:18:21 samolet sshd[10771]: Invalid user squid from 69.164.208.111
Feb  6 14:18:21 samolet sshd[10771]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:21 samolet sshd[10771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:23 samolet sshd[10771]: Failed password for invalid user squid from 69.164.208.111 port 53818 ssh2
Feb  6 14:18:25 samolet sshd[10773]: Invalid user squid from 69.164.208.111
Feb  6 14:18:25 samolet sshd[10773]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:25 samolet sshd[10773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:27 samolet sshd[10773]: Failed password for invalid user squid from 69.164.208.111 port 55409 ssh2
Feb  6 14:18:29 samolet sshd[10775]: Invalid user support from 69.164.208.111
Feb  6 14:18:29 samolet sshd[10775]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:29 samolet sshd[10775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:31 samolet sshd[10775]: Failed password for invalid user support from 69.164.208.111 port 56912 ssh2
Feb  6 14:18:33 samolet sshd[10777]: Invalid user support from 69.164.208.111
Feb  6 14:18:33 samolet sshd[10777]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:33 samolet sshd[10777]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:35 samolet sshd[10777]: Failed password for invalid user support from 69.164.208.111 port 58437 ssh2
Feb  6 14:18:37 samolet sshd[10779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com  user=sys
Feb  6 14:18:39 samolet sshd[10779]: Failed password for sys from 69.164.208.111 port 60046 ssh2
Feb  6 14:18:41 samolet sshd[10781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com  user=sys
Feb  6 14:18:43 samolet sshd[10781]: Failed password for sys from 69.164.208.111 port 33356 ssh2
Feb  6 14:18:45 samolet sshd[10783]: Invalid user sysadmin from 69.164.208.111
Feb  6 14:18:45 samolet sshd[10783]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:45 samolet sshd[10783]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:47 samolet sshd[10783]: Failed password for invalid user sysadmin from 69.164.208.111 port 34917 ssh2
Feb  6 14:18:49 samolet sshd[10787]: Invalid user sysadmin from 69.164.208.111
Feb  6 14:18:49 samolet sshd[10787]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:18:49 samolet sshd[10787]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:18:51 samolet sshd[10787]: Failed password for invalid user sysadmin from 69.164.208.111 port 36397 ssh2
Feb  6 14:18:53 samolet sshd[10789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com  user=sync
Feb  6 14:18:56 samolet sshd[10789]: Failed password for sync from 69.164.208.111 port 37983 ssh2
Feb  6 14:18:58 samolet sshd[10791]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com  user=sync
Feb  6 14:18:59 samolet sshd[10791]: Failed password for sync from 69.164.208.111 port 39625 ssh2
Feb  6 14:19:02 samolet sshd[10793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com  user=sync
Feb  6 14:19:03 samolet sshd[10793]: Failed password for sync from 69.164.208.111 port 41021 ssh2
Feb  6 14:19:06 samolet sshd[10795]: Invalid user tech from 69.164.208.111
Feb  6 14:19:06 samolet sshd[10795]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:19:06 samolet sshd[10795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:19:08 samolet sshd[10795]: Failed password for invalid user tech from 69.164.208.111 port 42470 ssh2
Feb  6 14:19:10 samolet sshd[10797]: Invalid user tech from 69.164.208.111
Feb  6 14:19:10 samolet sshd[10797]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:19:10 samolet sshd[10797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:19:12 samolet sshd[10797]: Failed password for invalid user tech from 69.164.208.111 port 44090 ssh2
Feb  6 14:19:14 samolet sshd[10799]: Invalid user telnetd from 69.164.208.111
Feb  6 14:19:14 samolet sshd[10799]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:19:14 samolet sshd[10799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:19:15 samolet sshd[10799]: Failed password for invalid user telnetd from 69.164.208.111 port 45447 ssh2
Feb  6 14:19:18 samolet sshd[10804]: Invalid user telnetd from 69.164.208.111
Feb  6 14:19:18 samolet sshd[10804]: pam_unix(sshd:auth): check pass; user unknown
Feb  6 14:19:18 samolet sshd[10804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li123-111.members.linode.com
Feb  6 14:19:18 samolet sshd[1228]: Received signal 15; terminating.

You should send this info to abuse@linode.com

People still setup SSH to use passwords???

The abuse email should be more prominent on the main site, the Contact Us page seems like a logical choice. There have been a few posts in the forums in recent weeks that should have really gone directly to abuse@linode.com.

The abuse contact is exactly where you'd expect it to be:

mwalling@youtoo:~$ whois 69.164.208.111 | grep -i abuse
RAbuseHandle: LAS12-ARIN
RAbuseName:   Linode Abuse Support
RAbusePhone:  +1-609-593-7103
RAbuseEmail:  abuse@linode.com
OrgAbuseHandle: LAS12-ARIN
OrgAbuseName:   Linode Abuse Support
OrgAbusePhone:  +1-609-593-7103
OrgAbuseEmail:  abuse@linode.com

Don't know how many other people do this, but on any new install the first thing is change the SSH port from 22 to something else ( 22222 for example ).

[Edit] Sorry, misread that post as from a linode customer, not other way aroud ... my gaff

Thats exactly what i do but they still find a way to figure out the port hence why i use DenyHost

Ive installed DenyHost yesterday as i was reading on the linode forum that people were doing "back yard" attacks where they bruted machines on the same network!

I dont actually see the point with brute forcing.. Two of our old server were bruted into before we looked into DenyHost.. Why do people actually brute force do they actually get anything out of it?

Brute forcing is very attractive to attackers because it works. Not only has my employer fallen victim to a brute force attack, I have talked to a lot of security professionals who have experienced the same problem. Users create easily guessed passwords all the time. I used to perform password cracking at my primary place of employment (with permission) and you would be amazed by the passwords used. Want samples? Here are some off the top of my head.

Password1
Football1
Dolphin1
Zzzzzzzz
Abcd1234
Abcdefg1

While there are lots of reasons that these shouldn't even be allowed as passwords, it illustrates that users will generally choose simplicity over complexity.

This is why I firewall off my private interface. :)

That said, when computers are compromised, it is quite common that the attacker will take a look at the interfaces and then go for any other devices they can see -- with an emphasis on machines on the same LAN as the compromised host. That way, if the admin cleans one machine, they still have another... and it is likely that the admin will leave the same hole as they did previously.



Yes. Because people are lazy and configure accounts with dumb names and weak passwords. They don't need root to DDoS a site, just basic connectivity. When you think about it, you can do quite a lot with a regular account.

Yeh, we had a new employee set up a test linux mailserver on a spare public IP and set root as "letmein" .. got hacked via SSH within 3 days and was spamming the beans out of everything. Only detected it as our network started dying. His response was "it's linux .. it perfectly safe from hacking and viruses" ... sigh.

Oh i see.. The once back in september we got bruted and they took down the apache and mysql users and then started uploading documents that didnt look 100% legal.. Its amazing how they (well it) didnt delete any of our websites and what not

Brute forcers make me angry we now have to install extra software like DenyHost or completely disable the service to stop them attempting to break in!

There should be a way to report and take them down for good!

I've just installed this, pretty simple to install.

The business I run off of Linode is a computer security business. I am *slowly* working on scripts that will watch for brute force attempts and centralize the source IP addresses the attempts are coming from. This data will be available (not sure if it will be free or a small subscription fee) so that customers can block hosts using Netfilter/iptables based on the information gathered. Essentially a Spamhaus for SSH brute force attacks.

If you run DenyHosts, you can optionally make it sync with a central database. Check the config file.

This.

No reason not to have SSH configured to allow only PK authentication.