{"id":3494,"date":"2017-02-18T22:36:21","date_gmt":"2017-02-18T18:36:21","guid":{"rendered":"https:\/\/nayarweb.com\/blog\/?p=3494"},"modified":"2017-02-18T22:36:21","modified_gmt":"2017-02-18T18:36:21","slug":"detecting-brute-force-attacks-on-linux-using-graylogelasticsearch","status":"publish","type":"post","link":"https:\/\/nayarweb.com\/blog\/2017\/detecting-brute-force-attacks-on-linux-using-graylogelasticsearch\/","title":{"rendered":"Detecting Brute Force Attacks on Linux using Graylog\/Elasticsearch"},"content":{"rendered":"<p>I noticed one of my servers is sending more logs than the other. `sshd` was the application sending the most amount of logs in the last 24 hours.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-3503\" src=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-10.12.12-PM-1024x389.png\" alt=\"\" width=\"640\" height=\"243\" srcset=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-10.12.12-PM-1024x389.png 1024w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-10.12.12-PM-300x114.png 300w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-10.12.12-PM-768x292.png 768w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-10.12.12-PM.png 1074w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>The logs look like these:<\/p>\n<blockquote><p>pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.52 user=root<\/p>\n<p>Failed password for root from 116.31.116.52 port 14281 ssh2<\/p>\n<p>message repeated 2 times: [ Failed password for root from 116.31.116.52 port 14281 ssh2]<\/p>\n<p>Received disconnect from 116.31.116.52 port 14281:11: [preauth]<\/p>\n<p>Disconnected from 116.31.116.52 port 14281 [preauth]<\/p>\n<p>PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.52 user=root<\/p><\/blockquote>\n<p>Since the IPs are being logged, I can know from where these are coming. Let&#8217;s generate a map.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-3497\" src=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.41-PM-1024x460.png\" alt=\"\" width=\"640\" height=\"288\" srcset=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.41-PM-1024x460.png 1024w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.41-PM-300x135.png 300w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.41-PM-768x345.png 768w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.41-PM.png 1080w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>Well well well, 5437 occurrences from China. Gotta do something. Here&#8217;s frequency of the attacks this week.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-3499\" src=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.07-PM-1024x546.png\" alt=\"\" width=\"640\" height=\"341\" srcset=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.07-PM-1024x546.png 1024w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.07-PM-300x160.png 300w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.07-PM-768x410.png 768w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.07-PM-1272x678.png 1272w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.18.07-PM.png 1440w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>It seems to have amplified today. Looking at the logs, we can see that the were trying different passwords for the user `root`. Lemme just disable password authentication for SSH.<\/p>\n<blockquote><p>$ vim \/etc\/ssh\/sshd_config<\/p><\/blockquote>\n<p>Change the line<\/p>\n<blockquote><p><span class=\"s1\">#PasswordAuthentication yes<\/span><\/p><\/blockquote>\n<p>to<\/p>\n<blockquote>\n<p class=\"p1\"><span class=\"s1\">PasswordAuthentication no<\/span><\/p>\n<p class=\"p1\">$ service ssh restart<\/p>\n<\/blockquote>\n<p class=\"p1\">And we can see the logs are no more appearing \ud83d\ude09<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-3496\" src=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.19.53-PM-1024x259.png\" alt=\"\" width=\"640\" height=\"162\" srcset=\"https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.19.53-PM-1024x259.png 1024w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.19.53-PM-300x76.png 300w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.19.53-PM-768x194.png 768w, https:\/\/nayarweb.com\/blog\/wp-content\/uploads\/2017\/02\/Screen-Shot-2017-02-18-at-9.19.53-PM.png 1076w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<h2>Do you wish to analyse your server logs too? Feel free to message me on Facebook or Twitter or LinkedIn<\/h2>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I noticed one of my servers is sending more logs than the other. `sshd` was the application sending the most amount of logs in the last 24 hours. The logs look like these: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.52 user=root Failed password for root from 116.31.116.52 port 14281 ssh2 message repeated 2 &hellip; <a href=\"https:\/\/nayarweb.com\/blog\/2017\/detecting-brute-force-attacks-on-linux-using-graylogelasticsearch\/\" class=\"continue-reading\">Continue reading <span class=\"screen-reader-text\">Detecting Brute Force Attacks on Linux using Graylog\/Elasticsearch<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[210],"tags":[224,225,226,61,223],"class_list":["post-3494","post","type-post","status-publish","format-standard","hentry","category-technology","tag-big-data","tag-elasticsearch","tag-graylog","tag-linux","tag-system-administration"],"_links":{"self":[{"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/posts\/3494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/comments?post=3494"}],"version-history":[{"count":4,"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/posts\/3494\/revisions"}],"predecessor-version":[{"id":3506,"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/posts\/3494\/revisions\/3506"}],"wp:attachment":[{"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/media?parent=3494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/categories?post=3494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nayarweb.com\/blog\/wp-json\/wp\/v2\/tags?post=3494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}