Detect SSH Brute Force Attack and Locate Attacker

Brute Force Attack consists of systematically checking all possible passwords until the correct one is found. If the host is exposed directly to the Internet (WAN) and SSH service is running on the host, it becomes a subject of constant brute force attacks performed by automated scripts like hydra.

To detect SSH brute force attempts on systems running systemd service manager (CentOS7/Fedora21/RHEL7), you can use journalctl command with parameters:

[root@router ~]# journalctl -u sshd | grep "Failed password"
May 09 17:37:08 router sshd[2303]: Failed password for root from 222.186.21.231 port 42258 ssh2
May 09 17:37:10 router sshd[2303]: Failed password for root from 222.186.21.231 port 42258 ssh2
May 09 17:37:14 router sshd[2303]: Failed password for root from 222.186.21.231 port 42258 ssh2
May 09 17:37:20 router sshd[2333]: Failed password for root from 222.186.21.231 port 38834 ssh2
May 09 17:37:22 router sshd[2333]: Failed password for root from 222.186.21.231 port 38834 ssh2
May 09 17:37:25 router sshd[2333]: Failed password for root from 222.186.21.231 port 38834 ssh2
May 09 17:37:31 router sshd[2344]: Failed password for root from 222.186.21.231 port 35444 ssh2
...

In older RedHat based systems using upstart (CentOS6/RHEL6) you can just search for possible intrusion attempts in file /var/log/secure:

[root@router ~]# cat /var/log/secure | grep "Failed password"
May 09 17:37:08 router sshd[2303]: Failed password for root from 222.186.21.231 port 42258 ssh2
May 09 17:37:10 router sshd[2303]: Failed password for root from 222.186.21.231 port 42258 ssh2
...

Now when we have the attacker’s IP, let’s check where does it belong to using whois command:

[root@router ~]# whois 222.186.21.231
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '222.184.0.0 - 222.191.255.255'

inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS
remarks: This object can only modify by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to hostmaster@apnic.net with your
remarks: organisation account name in the subject line.
changed: hm-changed@apnic.net 20040223
status: ALLOCATED PORTABLE
source: APNIC

role: CHINANET JIANGSU
address: 260 Zhongyang Road,Nanjing 210037
country: CN
phone: +86-25-86588231
phone: +86-25-86588745
fax-no: +86-25-86588104
e-mail: ip@jsinfo.net
remarks: send anti-spam reports to spam@jsinfo.net
remarks: send abuse reports to abuse@jsinfo.net
remarks: times in GMT+8
admin-c: CH360-AP
tech-c: CS306-AP
tech-c: CN142-AP
nic-hdl: CJ186-AP
remarks: www.jsinfo.net
notify: ip@jsinfo.net
mnt-by: MAINT-CHINANET-JS
changed: dns@jsinfo.net 20090831
changed: ip@jsinfo.net 20090831
changed: hm-changed@apnic.net 20090901
source: APNIC
changed: hm-changed@apnic.net 20111114

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
changed: zhengzm@gsta.com 20140227
mnt-by: MAINT-CHINANET
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

whois command searches for an object (ISP) in a RFC 3912 database for the given IP.

Now let’s look for some abuse information at this ISP:

[root@router ~]# whois 222.186.21.231 | grep abuse
remarks: send abuse reports to abuse@jsinfo.net

Now we can send email to: abuse@jsinfo.net with attacker’s details to let the ISP block his attempts.