1

My server logs are being filled with Connection Reset by xxx.xxx.xxx.xxx [preauth]:

$ cat /var/log/auth.log | grep 'Connection Reset'
Mar 13 19:52:30 server sshd[29366]: Connection reset by xxx.xxx.xxx.xxx [preauth]
Mar 13 19:52:33 server sshd[29366]: Connection reset by xxx.xxx.xxx.xxx [preauth]
Mar 13 19:52:41 server sshd[29366]: Connection reset by xxx.xxx.xxx.xxx [preauth]
Mar 13 19:52:50 server sshd[29366]: Connection reset by xxx.xxx.xxx.xxx [preauth]
Mar 13 19:52:53 server sshd[29366]: Connection reset by xxx.xxx.xxx.xxx [preauth]
...

This goes on for hours and hours. The IP address in question has not attempted any legitimate login attempts.

As I understand it, a connection reset is roughly analogous to dialing someone's phone, and then immediately hanging up. So what goal is this person trying to achieve?

(As a secondary question, is there an is fail2ban regex which will detect this behavior and stop it?)

user14717
  • 113
  • 4
  • 2
    This is normal behavior. The bruteforce bots are connecting to your server expecting a password prompt, but quickly become disappointed as they realize your server only accepts keys (which are practically impossible to bruteforce), so they leave and reset the connection. – André Borie Mar 14 '16 at 09:30
  • Ok, but it's the same IP address trying to connect every ~7 seconds for hours and hours. If they were truly giving up, I'd expect that it would be different IP addresses, and that any given IP would only try once. – user14717 Mar 14 '16 at 14:13
  • maybe whoever did this brute force bot didn't account for the fact that some servers may not accept passwords at all, and as a result an exception is constantly triggered every time it connects and so it is stuck in an infinite loop. – André Borie Mar 14 '16 at 14:14
  • The loop is not infinite, after a couple of hours, the bot gives up. However, you could be right that it's a bug in the bot script; though it is one that wastes an enormous amount of attacker resources. – user14717 Mar 14 '16 at 14:17
  • most of these attackers are stupid and don't value their resources. A smart attacker wouldn't "burn" his compromised server by using it for SSH brute force as there is much more valuable info that could be stolen jus by keeping low and silently exfiltrating the confidential data from the server. – André Borie Mar 14 '16 at 14:21
  • The attacker seems owns the entire 222.186.xxx.xxx subnet, and is launching attacks of exactly the same signature from many of these addresses. This behavior is inconsistent with attacks launched from a compromised server and more consistent with an organization-sponsored attack. Is this a reasonable suspicion? – user14717 Mar 14 '16 at 14:36
  • Well maybe the whole organisation is pwned and the attackers have access to all their servers. – André Borie Mar 14 '16 at 14:41

1 Answers1

2

You should use grep 'Connection Reset' /var/log/auth.log -A 2 (do not use cat since it's not useful, and use -A to get the context above the matched lines).

My guess is that your server is being bruteforced, you should be able to see the attempts with the above command. The attacker is closing the connections as soon as it knows it won't be successful, and retries again and again.

This is something very common, see this question to know how to block them.

Community
  • 1
Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65