While checking on a problem on a test CentOS Linux system today, I issued the
command journalctl -xe from the root account to get more
details on the problem. Among the results displayed was an indication of
attempts to break into the system by guesses for the password of the root
account on the system.
# journalctl -xe Oct 23 16:20:23 moonpoint systemd[1]: Unit mariadb.service entered failed state. Oct 23 16:20:23 moonpoint systemd[1]: mariadb.service failed. Oct 23 16:20:23 moonpoint polkitd[1684]: Unregistered Authentication Agent for u Oct 23 16:21:35 moonpoint sshd[4558]: pam_unix(sshd:auth): authentication failur Oct 23 16:21:35 moonpoint sshd[4558]: pam_succeed_if(sshd:auth): requirement "ui Oct 23 16:21:37 moonpoint sshd[4558]: Failed password for root from 221.131.165. Oct 23 16:21:38 moonpoint sshd[4558]: pam_succeed_if(sshd:auth): requirement "ui Oct 23 16:21:40 moonpoint sshd[4558]: Failed password for root from 221.131.165. Oct 23 16:21:40 moonpoint sshd[4558]: pam_succeed_if(sshd:auth): requirement "ui Oct 23 16:21:42 moonpoint sshd[4558]: Failed password for root from 221.131.165. Oct 23 16:21:42 moonpoint sshd[4558]: Received disconnect from 221.131.165.50 po Oct 23 16:21:42 moonpoint sshd[4558]: Disconnected from 221.131.165.50 port 4518 Oct 23 16:21:42 moonpoint sshd[4558]: PAM 2 more authentication failures; lognam Oct 23 16:21:55 moonpoint sshd[4561]: pam_unix(sshd:auth): authentication failur Oct 23 16:21:55 moonpoint sshd[4561]: pam_succeed_if(sshd:auth): requirement "ui Oct 23 16:21:57 moonpoint sshd[4561]: Failed password for root from 221.131.165. Oct 23 16:21:57 moonpoint sshd[4561]: pam_succeed_if(sshd:auth): requirement "ui Oct 23 16:21:59 moonpoint sshd[4561]: Failed password for root from 221.131.165. Oct 23 16:21:59 moonpoint sshd[4561]: pam_succeed_if(sshd:auth): requirement "ui Oct 23 16:22:01 moonpoint sshd[4561]: Failed password for root from 221.131.165. Oct 23 16:22:02 moonpoint sshd[4561]: Received disconnect from 221.131.165.50 po Oct 23 16:22:02 moonpoint sshd[4561]: Disconnected from 221.131.165.50 port 4175 Oct 23 16:22:02 moonpoint sshd[4561]: PAM 2 more authentication failures; lognam [root@moonpoint ~]#
When I checked the number of password guesses the attacker had tried by
searching for the IP address in /var/log/secure, I found 183
attempts to log in.
[root@moonpoint ~]# grep "221.131.165.50" /var/log/secure | grep -c "Failed password" 183 [root@moonpoint ~]#
When I checked the location for the IP address 221.131.165.50 with the geoiplookup program, a program that is provided by the GeoIP package, I found the address allocated to an entity in China:
[root@moonpoint ~]# geoiplookup 221.131.165.50 GeoIP Country Edition: CN, China [root@moonpoint ~]#
A check of the IP address on DShield at showed that IP address has been associated with many attempts at unauthorized access to systems by password guessing - see SSH Source Summary. The DShield IP Info: 221.131.165.50 report for the system currently lists 82,133 reports with 283 targets with activity first reported on 2021-09-26.
When I ran the journalctl command again later, I saw evidence of attempts from other IP addresses to gain unauthorized access to the system via SSH, so I installed fail2ban to automatically block IP addresses when a specific number of failed SSH login attempts have been detected from IP addresses.
Related
-
Blocking SSH break-in attempts with fail2ban
Date: October 23, 2021 -
Finding which package provided a file on a CentOS Linux system
Date: October 23, 2021 -
Fail2ban Logging
Date: April 9, 2016
