cancel
Showing results for 
Search instead for 
Did you mean: 

HPUX 11.31 hacking issue

sgreyling
Advisor

HPUX 11.31 hacking issue

Hi Everyone,

HPUX 11.31 connected through gateway and firewall to internet with ssh on firewall disabled, but still get the following in syslog.log file.

Feb 9 20:42:19 ecorapr1 sshd[25149]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:19 ecorapr1 sshd[25149]: Invalid user ____ from 93.186.118.171
Feb 9 20:42:19 ecorapr1 sshd[25149]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:21 ecorapr1 sshd[25149]: Failed password for invalid user ____ from 93.186.118.171 port 34685 ssh2
Feb 9 20:42:22 ecorapr1 sshd[25143]: Failed password for root from 218.14.203.206 port 58366 ssh2
Feb 9 20:42:22 ecorapr1 sshd[25184]: SSH: Server;Ltype: Version;Remote: 93.186.118.171-36940;Protocol: 2.0;Client: libssh-0.2
Feb 9 20:42:23 ecorapr1 sshd[25184]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:23 ecorapr1 sshd[25191]: SSH: Server;Ltype: Version;Remote: 218.14.203.206-59986;Protocol: 2.0;Client: libssh-0.1
Feb 9 20:42:25 ecorapr1 sshd[25184]: Failed password for root from 93.186.118.171 port 36940 ssh2
Feb 9 20:42:23 ecorapr1 sshd[25184]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:26 ecorapr1 sshd[25246]: SSH: Server;Ltype: Version;Remote: 93.186.118.171-39429;Protocol: 2.0;Client: libssh-0.2
Feb 9 20:42:27 ecorapr1 sshd[25246]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:28 ecorapr1 sshd[25191]: Failed password for root from 218.14.203.206 port 59986 ssh2
Feb 9 20:42:29 ecorapr1 sshd[25246]: Failed password for root from 93.186.118.171 port 39429 ssh2
Feb 9 20:42:27 ecorapr1 sshd[25246]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:30 ecorapr1 sshd[25280]: SSH: Server;Ltype: Version;Remote: 93.186.118.171-41937;Protocol: 2.0;Client: libssh-0.2
Feb 9 20:42:31 ecorapr1 sshd[25280]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:33 ecorapr1 sshd[25301]: SSH: Server;Ltype: Version;Remote: 218.14.203.206-62367;Protocol: 2.0;Client: libssh-0.1
Feb 9 20:42:33 ecorapr1 sshd[25280]: Failed password for root from 93.186.118.171 port 41937 ssh2
Feb 9 20:42:31 ecorapr1 sshd[25280]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:34 ecorapr1 sshd[25322]: SSH: Server;Ltype: Version;Remote: 93.186.118.171-44342;Protocol: 2.0;Client: libssh-0.2
Feb 9 20:42:36 ecorapr1 sshd[25322]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:37 ecorapr1 sshd[25301]: Failed password for root from 218.14.203.206 port 62367 ssh2
Feb 9 20:42:38 ecorapr1 sshd[25322]: Failed password for root from 93.186.118.171 port 44342 ssh2
Feb 9 20:42:36 ecorapr1 sshd[25322]: gethostbyaddr: mail.greg.com. != 93.186.118.171
Feb 9 20:42:39 ecorapr1 sshd[25382]: SSH: Server;Ltype: Version;Remote: 218.14.203.206-63761;Protocol: 2.0;Client: libssh-0.1
Feb 9 20:42:43 ecorapr1 sshd[25382]: Failed password for root from 218.14.203.206 port 63761 ssh2
Feb 9 20:42:45 ecorapr1 sshd[25440]: SSH: Server;Ltype: Version;Remote: 218.14.203.206-1150;Protocol: 2.0;Client: libssh-0.1
Feb 9 20:42:49 ecorapr1 sshd[25440]: Failed password for root from 218.14.203.206 port 1150 ssh2
Feb 9 20:42:51 ecorapr1 sshd[25487]: SSH: Server;Ltype: Version;Remote: 218.14.203.206-2372;Protocol: 2.0;Client: libssh-0.1
Feb 9 20:42:55 ecorapr1 sshd[25487]: Failed password for root from 218.14.203.206 port 2372 ssh2


It seems we being hit with ssh generator.

How can I make this stop?
7 REPLIES
Tim Nelson
Honored Contributor

Re: HPUX 11.31 hacking issue

create firwall rule to drop all packets from 93.186.118.171

Tim Nelson
Honored Contributor

Re: HPUX 11.31 hacking issue

even better.

create a route on the fw or server to route this address to 127.0.0.1

I will create a black hole for that IP.. poof your server is invisible.

sgreyling
Advisor

Re: HPUX 11.31 hacking issue

its always coming from different IP's
Jason Johns
Visitor

Re: HPUX 11.31 hacking issue

Change your ssh port to something other than default if possible. My web server never gets hit since I changed the ssh port to 2222
Jim Walls
Trusted Contributor

Re: HPUX 11.31 hacking issue

>>>>HPUX 11.31 connected through gateway and firewall to internet with ssh on firewall disabled, but still get the following in syslog.log file.

Are you sure ssh is disabled? I'd speak with my networks/firewall people about this.

If you really need ssh from the Internet then you should consider writing a script to monitor this type of activity and block any suspect IP addresses using IPFilter (it's free from http://software.hp.com). We have implemented such a scheme and it works quite well. We block the IP addresses for thirty minutes... which allows legitimate users who may have forgotten their passwords to try again later.

TheMrZax
Visitor

Re: HPUX 11.31 hacking issue

How do I change the default ssh port to something else? I have put an entry in /etc/services ssh 2022/tcp but still cannot login. The firewall is now allowed 2022 port to this server, but cannot login.

Matti_Kurkela
Honored Contributor

Re: HPUX 11.31 hacking issue

sshd does not use /etc/services to determine which port it listens to.

(Only the services configured via /etc/inetd.conf using service names and some other applications that use getservbyname() system calls use /etc/services for port assignment.)

 

By default, /opt/ssh/etc/sshd_config has a line:

Port 22

 If you want sshd to listen in port 2022, you should change it to:

Port 2022

...and then restart sshd:

sh /sbin/init.d/secsh stop
sh /sbin/init.d/secsh start
MK