Possible Break In Attempt? Understanding the auth log better

[foundrman]

Greetings All- I'm currently running OpenVPN on my Amazon EC2 server. This is mostly a learning experience for me more than anything else. While reviewing the (Ubuntu) server auth log this morning, I discovered the following:

Code: Select all

Nov 25 01:32:00 XXXX-XX-XX-XX-XX-XX-XX sshd[12574]: Address 198.XX.XXX.XX164 maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:00 XXXX-XX-XX-XX-XX-XX-XX sshd[12574]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:00 XXXX-XX-XX-XX-XX-XX-XX sshd[12576]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:00 XXXX-XX-XX-XX-XX-XX-XX sshd[12576]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:01 XXXX-XX-XX-XX-XX-XX-XX sshd[12578]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:01 XXXX-XX-XX-XX-XX-XX-XX sshd[12578]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:01 XXXX-XX-XX-XX-XX-XX-XX sshd[12580]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:01 XXXX-XX-XX-XX-XX-XX-XX sshd[12580]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:01 XXXX-XX-XX-XX-XX-XX-XX sshd[12582]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:01 XXXX-XX-XX-XX-XX-XX-XX sshd[12582]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:02 XXXX-XX-XX-XX-XX-XX-XX sshd[12584]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:02 XXXX-XX-XX-XX-XX-XX-XX sshd[12584]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:02 XXXX-XX-XX-XX-XX-XX-XX sshd[12586]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:02 XXXX-XX-XX-XX-XX-XX-XX sshd[12586]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:02 XXXX-XX-XX-XX-XX-XX-XX sshd[12588]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:02 XXXX-XX-XX-XX-XX-XX-XX sshd[12588]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:03 XXXX-XX-XX-XX-XX-XX-XX sshd[12590]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:03 XXXX-XX-XX-XX-XX-XX-XX sshd[12590]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:03 XXXX-XX-XX-XX-XX-XX-XX sshd[12592]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:03 XXXX-XX-XX-XX-XX-XX-XX sshd[12592]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:03 XXXX-XX-XX-XX-XX-XX-XX sshd[12594]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:03 XXXX-XX-XX-XX-XX-XX-XX sshd[12594]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12596]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12596]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12598]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12598]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12600]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12600]: Invalid user oracle from 198.XX.XXX.
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12600]: input_userauth_request: invalid user oracle [preauth]
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12600]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12602]: Address 198.XX.XXX. maps to mav11.chev.4p.org, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12602]: Invalid user oracle from 198.XX.XXX.
Nov 25 01:32:04 XXXX-XX-XX-XX-XX-XX-XX sshd[12602]: input_userauth_request: invalid user oracle [preauth]
Nov 25 01:32:05 XXXX-XX-XX-XX-XX-XX-XX sshd[12602]: Received disconnect from 198.XX.XXX.: 11: Bye Bye [preauth]

My reading of this is that someone (automated) login attempts against my particular server (whose IP is within the well known range belonging to Amazon) using the user "oracle" (which of course didn't work). They tried a number of times before giving up.

I should also add that the IP maps back to two specific domains, one of which was registered the day of the "attacks" and the other three days prior.

Can anyone shed any additional light on this?

Thanks!

[JoshC]

FYI, this is not at all OpenVPN related & the thread has been moved to the 'Off Topic' forum. This is about OpenSSH and not OpenVPN.

The log error is warning you that the IP fails a Forward-confirmed reverse DNS lookup, a possible sign that something nefarious is going on (or simply misconfiguration by the DNS/domain owner.)

If you don't like such login attempts to your ssh server, I suggest you harden your ssh setup; consider using a non-standard port (besides 22) to reduce the scan attempts; consider rate-limiting connection attempts per IP or CIDR block (Netfilter's hashlimit can do this); consider disabling password auth and allow only public-key authentication.

[foundrman]

Thanks, I discovered the issue. I use fail2ban now and that seems to do a good job.