SSH – How to Track Failed SSH Log-in Attempts

logSecurityssh

I'd like to see if somebody has been trying to log-in by brute-force into my Ubuntu 12.04 server over SSH. How can I see if such activities have been taking place?

Best Answer

All login attempts are logged to /var/log/auth.log.

1. Filter for brute-force interactive SSH logins

Open a terminal, and type the below; if it's longer than 1 page you will be able to scroll up and down; type q to exit:

grep sshd.\*Failed /var/log/auth.log | less

Here's a real example from one of my VPSs:

Aug 18 11:00:57 izxvps sshd[5657]: Failed password for root from 95.58.255.62 port 38980 ssh2
Aug 18 23:08:26 izxvps sshd[5768]: Failed password for root from 91.205.189.15 port 38156 ssh2
Aug 18 23:08:30 izxvps sshd[5770]: Failed password for nobody from 91.205.189.15 port 38556 ssh2
Aug 18 23:08:34 izxvps sshd[5772]: Failed password for invalid user asterisk from 91.205.189.15 port 38864 ssh2
Aug 18 23:08:38 izxvps sshd[5774]: Failed password for invalid user sjobeck from 91.205.189.15 port 39157 ssh2
Aug 18 23:08:42 izxvps sshd[5776]: Failed password for root from 91.205.189.15 port 39467 ssh2

2. Look for failed connections (i.e. no login attempted, could be a port scanner, etc.):

Use this command:

grep sshd.*Did /var/log/auth.log | less

Example:

Aug  5 22:19:10 izxvps sshd[7748]: Did not receive identification string from 70.91.222.121
Aug 10 19:39:49 izxvps sshd[1919]: Did not receive identification string from 50.57.168.154
Aug 13 23:08:04 izxvps sshd[3562]: Did not receive identification string from 87.216.241.19
Aug 17 15:49:07 izxvps sshd[5350]: Did not receive identification string from 211.22.67.238
Aug 19 06:28:43 izxvps sshd[5838]: Did not receive identification string from 59.151.37.10

How to reduce failed/brute-force login attempts

Try switching your SSH to a non-standard port from the default 22
Or install an auto-ban script such as fail2ban .

Related Solutions

Ubuntu – How to secure ubuntu server from bruteforce ssh attacks

There are different solutions. The best one is using RSA authentication that uses public/private keys to authenticate users.

Check this great manual for different approaches (RSA authentication included): http://www.la-samhna.de/library/brutessh.html

I'm using the 3rd solution on my server because I don't want to make it complicated for my non-technical users: using iptables to limit the number of connections per minute that makes bruteforce attacks inefficient and ineffective.

Here is the solution I'm using:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

As mentioned here: this will allow three port 22 connections from any given IP address within a 60 second period, and require 60 seconds of no subsequent connection attempts before it will resume allowing connections again. The --rttl option also takes into account the TTL of the datagram when matching packets, so as to endeavour to mitigate against spoofed source addresses.

As stated in the mentioned guide, it's better to use a white list to separate trusted users from these rules:

iptables -N SSH_WHITELIST

then add trusted hosts:

iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT

and after that make the rules:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

Ubuntu – Scp / ssh log on ssh-server

By default, the OpenSSH server logs to the AUTH facility of syslog, at the INFO level. If you want to record more information - such as failed login attempts - you should increase the logging level to VERBOSE.

It's recommended to log more information if you're curious about malicious SSH traffic.

To increase the level, find the following line in your sshd_config:

LogLevel INFO and change it to this:

LogLevel VERBOSE Now all the details of ssh login attempts will be saved in your /var/log/auth.log file.

More info at: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring