Brute force attack

petr · December 17, 2020, 9:55am

I am getting a lot of log entries showing brute force attack on the router as shown below. I would like to know if:

The attacker/s are actually getting ssh promt? I whitelisted only our IP addresses, but for some reason it looks like they are still getting to sshd.
How to delete the extra log safely so I can see just the rest of the log.
Sometimes the user is root instead of unknown.
Thank you
Petr

output of sh log for just 1 minute.

Dec 17 09:29:01 hostname sshd[47440]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:01 hostname sshd[47440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.183.53.170
Dec 17 09:29:04 hostname sshd[47443]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:04 hostname sshd[47443]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=aqg241.internetdsl.tpnet.pl
Dec 17 09:29:05 hostname sshd[47446]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:05 hostname sshd[47446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=52.249.250.232
Dec 17 09:29:05 hostname sshd[47442]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:05 hostname sshd[47442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.13.119.89
Dec 17 09:29:12 hostname sshd[47450]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:12 hostname sshd[47450]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=197.5.145.116
Dec 17 09:29:13 hostname sshd[47448]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:13 hostname sshd[47448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.189.238.92
Dec 17 09:29:14 hostname sshd[47452]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:14 hostname sshd[47452]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.36.3.101
Dec 17 09:29:15 hostname sshd[47458]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:15 hostname sshd[47458]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.red-83-48-89.staticip.rima-tde.net
Dec 17 09:29:15 hostname sshd[47455]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:15 hostname sshd[47455]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.220.173.3
Dec 17 09:29:15 hostname sshd[47454]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:15 hostname sshd[47454]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.121.223.61
Dec 17 09:29:18 hostname sshd[47460]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:18 hostname sshd[47460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.199.106.232
Dec 17 09:29:20 hostname sshd[47462]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:20 hostname sshd[47462]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-136-99.rev.poneytelecom.eu
Dec 17 09:29:25 hostname sshd[47547]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 09:29:25 hostname sshd[47547]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.120.166.129

bcstechdept · December 17, 2020, 4:07pm

They’re getting an authentication prompt, yes, but don’t appear to be getting in. To stop it, you’ll need to firewall off that port and allow subnets as needed. What does your config/firewall rules look like?

petr · December 17, 2020, 4:15pm

set firewall name protect-vyatta rule 2 action drop
set firewall name protect-vyatta rule 2 destination port 22
set firewall name protect-vyatta rule 2 protocol tcp
set firewall name protect-vyatta rule 2 recent count 3
set firewall name protect-vyatta rule 2 recent time 300
set firewall name protect-vyatta rule 2 state new enable

set firewall group network-group MGMT_IN network [my-prefix]

Viacheslav · December 17, 2020, 6:08pm

Share full firewall configuration

show configuration commands | match "protect-vyatta"
show firewall name protect-vyatta statistics
show version

petr · December 19, 2020, 3:52pm

Hi, I changed the config slightly, therefore I amended the commands accordingly.

The router have three interfaces and eth1,2 are in bond 1

csadmin@edge1-thn:~$ show configuration commands | match MGNT_IN
set firewall name MGNT_IN default-action ‘drop’
set firewall name MGNT_IN rule 2 action ‘drop’
set firewall name MGNT_IN rule 2 destination port ‘22,22222’
set firewall name MGNT_IN rule 2 protocol ‘tcp’
set firewall name MGNT_IN rule 2 recent count ‘3’
set firewall name MGNT_IN rule 2 recent time ‘300’
set firewall name MGNT_IN rule 2 state new ‘enable’
set firewall name MGNT_IN rule 100 action ‘accept’
set firewall name MGNT_IN rule 100 state established ‘enable’
set firewall name MGNT_IN rule 100 state related ‘enable’
set firewall name MGNT_IN rule 101 action ‘accept’
set firewall name MGNT_IN rule 101 destination port ‘22222’
set firewall name MGNT_IN rule 101 protocol ‘tcp’
set firewall name MGNT_IN rule 101 source group network-group ‘MGMT_IN’
set firewall name MGNT_IN rule 201 action ‘accept’
set firewall name MGNT_IN rule 201 destination port ‘161’
set firewall name MGNT_IN rule 201 protocol ‘udp’
set firewall name MGNT_IN rule 201 source group network-group ‘MGMT_IN’
set firewall name MGNT_IN rule 301 action ‘accept’
set firewall name MGNT_IN rule 301 destination port ‘179’
set firewall name MGNT_IN rule 301 protocol ‘tcp’
set firewall name MGNT_IN rule 301 source group network-group ‘BGP_IN’
set firewall name MGNT_IN rule 401 action ‘accept’
set firewall name MGNT_IN rule 401 protocol ‘ospf’
set firewall name MGNT_IN rule 401 source group network-group ‘CSG_IN’
set firewall name MGNT_IN rule 501 action ‘accept’
set firewall name MGNT_IN rule 501 protocol ‘icmp’
set firewall name MGNT_IN rule 501 source address ‘0.0.0.0/0’
set interfaces bonding bond1 firewall local name ‘MGNT_IN’
set interfaces ethernet eth0 firewall local name ‘MGNT_IN’
set interfaces ethernet eth4 firewall local name ‘MGNT_IN’
set interfaces ethernet eth5 firewall local name ‘MGNT_IN’

csadmin@edge1-thn:~$ sh firewall name MGNT_IN statistics

Rulesets Information

IPv4 Firewall “MGNT_IN”:

Active on (bond1,LOCAL) (eth0,LOCAL) (eth4,LOCAL) (eth5,LOCAL)

rule packets bytes action source destination

2 0 0 DROP 0.0.0.0/0 0.0.0.0/0
100 1.00M 302.83M ACCEPT 0.0.0.0/0 0.0.0.0/0
101 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
201 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
301 1 64 ACCEPT 0.0.0.0/0 0.0.0.0/0
401 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
501 97.31K 8.08M ACCEPT 0.0.0.0/0 0.0.0.0/0
10000 80.97K 4.26M DROP 0.0.0.0/0 0.0.0.0/0

csadmin@edge1-thn:~$

set interfaces ethernet eth1 bond-group ‘bond1’
set interfaces ethernet eth2 bond-group ‘bond1’

csadmin@edge1-thn:~$ sh conf commands | match eth3
set interfaces ethernet eth3 address [IP address]
set interfaces ethernet eth3 description [description]
set interfaces ethernet eth3 duplex ‘auto’
set interfaces ethernet eth3 hw-id [MAC]
set interfaces ethernet eth3 smp_affinity ‘auto’
set interfaces ethernet eth3 speed ‘auto’

Viacheslav · December 22, 2020, 8:31am

If you dump traffic, you will see that unique IP addresses don’t are repeated within 5 minutes.

set firewall name MGNT_IN default-action ‘drop’
set firewall name MGNT_IN rule 2 recent count ‘3’
set firewall name MGNT_IN rule 2 recent time ‘300’

that rule only drop packets if someone trying to connect to ssh more than 3 times for the last 5 min.
If you want to allow ssh only for white-list-ip you need to declare it before and drop all other traffic destined to port 22.

For example

set firewall group address-group ALLOW-SSH address '203.0.113.1-203.0.113.20'
set firewall name MGMT-IN default-action 'drop'
set firewall name MGMT-IN rule 10 action 'accept'
set firewall name MGMT-IN rule 10 state established 'enable'
set firewall name MGMT-IN rule 10 state related 'enable'
set firewall name MGMT-IN rule 20 action 'accept'
set firewall name MGMT-IN rule 20 icmp type-name 'echo-request'
set firewall name MGMT-IN rule 20 protocol 'icmp'
set firewall name MGMT-IN rule 20 state new 'enable'
set firewall name MGMT-IN rule 30 action 'accept'
set firewall name MGMT-IN rule 30 icmp type-name 'fragmentation-needed'
set firewall name MGMT-IN rule 30 protocol 'icmp'
set firewall name MGMT-IN rule 30 state new 'enable'
set firewall name MGMT-IN rule 40 action 'accept'
set firewall name MGMT-IN rule 40 destination port '22,222'
set firewall name MGMT-IN rule 40 protocol 'tcp'
set firewall name MGMT-IN rule 40 source group address-group 'ALLOW-SSH'
set firewall name MGMT-IN rule 50 action 'drop'
set firewall name MGMT-IN rule 50 destination port '22,2222'
set firewall name MGMT-IN rule 50 log 'enable'
set firewall name MGMT-IN rule 50 protocol 'tcp'