Last night I started a t1.micro Ubuntu server instance on Amazon Web Services. The only open port is 22/tcp for ssh.
This evening I connected to the instance to do a bit of experimentation. But ssh to the DNS name mapped to an Elastic IP was failing silently -- why? I could ssh using the actual IP address, so why not a DNS name?
First thing to check is /var/log/auth.log. While that didn't reveal any clues about my particular problem, it looks like my lonely instance attracted some attention earlier in the morning:
Apr 21 16:52:08 ip-10-248-12-144 sshd[1561]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:08 ip-10-248-12-144 sshd[1561]: Invalid user postgres from 69.175.14.226
{above 2 repeated 6 times}
Apr 21 16:52:13 ip-10-248-12-144 sshd[1575]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:13 ip-10-248-12-144 sshd[1575]: Invalid user nagios from 69.175.14.226
{above 2 repeated 7 times}
Apr 21 16:52:19 ip-10-248-12-144 sshd[1592]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:19 ip-10-248-12-144 sshd[1592]: Invalid user prueba from 69.175.14.226
{above 2 repeated 3 times}
Apr 21 16:52:22 ip-10-248-12-144 sshd[1600]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:22 ip-10-248-12-144 sshd[1600]: Invalid user git from 69.175.14.226
{above 2 repeated 17 times}
Apr 21 16:52:34 ip-10-248-12-144 sshd[1636]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:34 ip-10-248-12-144 sshd[1636]: Invalid user tomcat from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:36 ip-10-248-12-144 sshd[1640]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
{above 1 repeated 3 times}
Apr 21 16:52:38 ip-10-248-12-144 sshd[1648]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:38 ip-10-248-12-144 sshd[1648]: Invalid user oracle from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:40 ip-10-248-12-144 sshd[1652]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:40 ip-10-248-12-144 sshd[1652]: Invalid user ivan from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:41 ip-10-248-12-144 sshd[1656]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:41 ip-10-248-12-144 sshd[1656]: Invalid user office from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:43 ip-10-248-12-144 sshd[1660]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:43 ip-10-248-12-144 sshd[1660]: Invalid user test from 69.175.14.226
{above 2 repeated 1 time}
Turns out I was trapped in some kind of weird Yakuake limbo; after typing "exit" a number of times in my window, ssh started working. (I don't understand that, but oh well.)
Here's some info on the source:
ubuntu@ip-10-248-12-144:~$ whois 69.175.14.226
NetRange: 69.175.0.0 - 69.175.127.255
CIDR: 69.175.0.0/17
OriginAS: AS32475
NetName: SINGLEHOP
NetHandle: NET-69-175-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
RegDate: 2009-05-04
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-69-175-0-0-1
OrgName: SingleHop, Inc.
OrgId: SINGL-8
Address: 621 W. Randolph St.
Address: 3rd Floor
City: Chicago
StateProv: IL
PostalCode: 60661
Country: US
RegDate: 2007-03-07
Updated: 2010-03-23
Comment: http://www.singlehop.com/
Ref: http://whois.arin.net/rest/org/SINGL-8
ReferralServer: rwhois://rwhois.singlehop.net:4321
OrgAbuseHandle: ABUSE2492-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-866-817-2811
OrgAbuseEmail: abuse@singlehop.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE2492-ARIN
OrgTechHandle: NETWO1546-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-866-817-2811
OrgTechEmail: netops@singlehop.com
OrgTechRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
OrgNOCHandle: NETWO1546-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-866-817-2811
OrgNOCEmail: netops@singlehop.com
OrgNOCRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
RTechHandle: NETWO1546-ARIN
RTechName: Network Operations
RTechPhone: +1-866-817-2811
RTechEmail: netops@singlehop.com
RTechRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
RNOCHandle: NETWO1546-ARIN
RNOCName: Network Operations
RNOCPhone: +1-866-817-2811
RNOCEmail: netops@singlehop.com
RNOCRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
RAbuseHandle: NETWO1546-ARIN
RAbuseName: Network Operations
RAbusePhone: +1-866-817-2811
RAbuseEmail: netops@singlehop.com
RAbuseRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
Found a referral to rwhois.singlehop.net:4321.
%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.69-175-14-224/29
network:Auth-Area:69.175.0.0/17
network:IP-Network:69.175.14.224/29
network:Organization:Sovereign Financial
network:Street-Address:1538 S. El Camino Real #309
network:City:San Mateo
network:State:Ca
network:Postal-Code:94402
network:Country-Code:US
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20100810
network:Updated:20100810
%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
ubuntu@ip-10-248-12-144:~$ whois svfin.org
Domain ID
158880942-LROR
Domain Name:SVFIN.ORG
Created On:15-Apr-2010 03:10:01 UTC
Last Updated On:09-Apr-2012 17:13:15 UTC
Expiration Date:15-Apr-2013 03:10:01 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR45828776
Registrant Name:Registration Private
Registrant Organizationomains By Proxy, LLC
Registrant Street1omainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:SVFIN.ORG@domainsbyproxy.com
Admin ID:CR45828778
Admin Name:Registration Private
Admin Organizationomains By Proxy, LLC
Admin Street1omainsByProxy.com
Admin Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Admin Street3:
Admin City:Scottsdale
Admin State/Province:Arizona
Admin Postal Code:85260
Admin Country:US
Admin Phone:+1.4806242599
Admin Phone Ext.:
Admin FAX:+1.4806242598
Admin FAX Ext.:
Admin Email:SVFIN.ORG@domainsbyproxy.com
Tech ID:CR45828777
Tech Name:Registration Private
Tech Organizationomains By Proxy, LLC
Tech Street1omainsByProxy.com
Tech Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Tech Street3:
Tech City:Scottsdale
Tech State/Province:Arizona
Tech Postal Code:85260
Tech Country:US
Tech Phone:+1.4806242599
Tech Phone Ext.:
Tech FAX:+1.4806242598
Tech FAX Ext.:
Tech Email:SVFIN.ORG@domainsbyproxy.com
Name Server:NS66.DOMAINCONTROL.COM
Name Server:NS65.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
Someone hiding behind GoDaddy -- can't say I'm surprised. What a shady outfit.
I entered a search string containing all those user IDs and the cause appears to be from an automated source, lots of similar reports, including one person who publishes an auto-log of failed authentication attemps.
It's common knowledge -- or should be, anyway -- that AWS requires the use of public/private key pairs for ssh-ing into instances, so these "attackers" targeting AWS must really be morons.
This evening I connected to the instance to do a bit of experimentation. But ssh to the DNS name mapped to an Elastic IP was failing silently -- why? I could ssh using the actual IP address, so why not a DNS name?
First thing to check is /var/log/auth.log. While that didn't reveal any clues about my particular problem, it looks like my lonely instance attracted some attention earlier in the morning:
Apr 21 16:52:08 ip-10-248-12-144 sshd[1561]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:08 ip-10-248-12-144 sshd[1561]: Invalid user postgres from 69.175.14.226
{above 2 repeated 6 times}
Apr 21 16:52:13 ip-10-248-12-144 sshd[1575]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:13 ip-10-248-12-144 sshd[1575]: Invalid user nagios from 69.175.14.226
{above 2 repeated 7 times}
Apr 21 16:52:19 ip-10-248-12-144 sshd[1592]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:19 ip-10-248-12-144 sshd[1592]: Invalid user prueba from 69.175.14.226
{above 2 repeated 3 times}
Apr 21 16:52:22 ip-10-248-12-144 sshd[1600]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:22 ip-10-248-12-144 sshd[1600]: Invalid user git from 69.175.14.226
{above 2 repeated 17 times}
Apr 21 16:52:34 ip-10-248-12-144 sshd[1636]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:34 ip-10-248-12-144 sshd[1636]: Invalid user tomcat from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:36 ip-10-248-12-144 sshd[1640]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
{above 1 repeated 3 times}
Apr 21 16:52:38 ip-10-248-12-144 sshd[1648]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:38 ip-10-248-12-144 sshd[1648]: Invalid user oracle from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:40 ip-10-248-12-144 sshd[1652]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:40 ip-10-248-12-144 sshd[1652]: Invalid user ivan from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:41 ip-10-248-12-144 sshd[1656]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:41 ip-10-248-12-144 sshd[1656]: Invalid user office from 69.175.14.226
{above 2 repeated 1 time}
Apr 21 16:52:43 ip-10-248-12-144 sshd[1660]: reverse mapping checking getaddrinfo for svfinapp.svfin.org [69.175.14.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 21 16:52:43 ip-10-248-12-144 sshd[1660]: Invalid user test from 69.175.14.226
{above 2 repeated 1 time}
Turns out I was trapped in some kind of weird Yakuake limbo; after typing "exit" a number of times in my window, ssh started working. (I don't understand that, but oh well.)
Here's some info on the source:
ubuntu@ip-10-248-12-144:~$ whois 69.175.14.226
NetRange: 69.175.0.0 - 69.175.127.255
CIDR: 69.175.0.0/17
OriginAS: AS32475
NetName: SINGLEHOP
NetHandle: NET-69-175-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
RegDate: 2009-05-04
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-69-175-0-0-1
OrgName: SingleHop, Inc.
OrgId: SINGL-8
Address: 621 W. Randolph St.
Address: 3rd Floor
City: Chicago
StateProv: IL
PostalCode: 60661
Country: US
RegDate: 2007-03-07
Updated: 2010-03-23
Comment: http://www.singlehop.com/
Ref: http://whois.arin.net/rest/org/SINGL-8
ReferralServer: rwhois://rwhois.singlehop.net:4321
OrgAbuseHandle: ABUSE2492-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-866-817-2811
OrgAbuseEmail: abuse@singlehop.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE2492-ARIN
OrgTechHandle: NETWO1546-ARIN
OrgTechName: Network Operations
OrgTechPhone: +1-866-817-2811
OrgTechEmail: netops@singlehop.com
OrgTechRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
OrgNOCHandle: NETWO1546-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-866-817-2811
OrgNOCEmail: netops@singlehop.com
OrgNOCRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
RTechHandle: NETWO1546-ARIN
RTechName: Network Operations
RTechPhone: +1-866-817-2811
RTechEmail: netops@singlehop.com
RTechRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
RNOCHandle: NETWO1546-ARIN
RNOCName: Network Operations
RNOCPhone: +1-866-817-2811
RNOCEmail: netops@singlehop.com
RNOCRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
RAbuseHandle: NETWO1546-ARIN
RAbuseName: Network Operations
RAbusePhone: +1-866-817-2811
RAbuseEmail: netops@singlehop.com
RAbuseRef: http://whois.arin.net/rest/poc/NETWO1546-ARIN
Found a referral to rwhois.singlehop.net:4321.
%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.69-175-14-224/29
network:Auth-Area:69.175.0.0/17
network:IP-Network:69.175.14.224/29
network:Organization:Sovereign Financial
network:Street-Address:1538 S. El Camino Real #309
network:City:San Mateo
network:State:Ca
network:Postal-Code:94402
network:Country-Code:US
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20100810
network:Updated:20100810
%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
ubuntu@ip-10-248-12-144:~$ whois svfin.org
Domain ID
158880942-LRORDomain Name:SVFIN.ORG
Created On:15-Apr-2010 03:10:01 UTC
Last Updated On:09-Apr-2012 17:13:15 UTC
Expiration Date:15-Apr-2013 03:10:01 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR45828776
Registrant Name:Registration Private
Registrant Organization
omains By Proxy, LLCRegistrant Street1
omainsByProxy.comRegistrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:SVFIN.ORG@domainsbyproxy.com
Admin ID:CR45828778
Admin Name:Registration Private
Admin Organization
omains By Proxy, LLCAdmin Street1
omainsByProxy.comAdmin Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Admin Street3:
Admin City:Scottsdale
Admin State/Province:Arizona
Admin Postal Code:85260
Admin Country:US
Admin Phone:+1.4806242599
Admin Phone Ext.:
Admin FAX:+1.4806242598
Admin FAX Ext.:
Admin Email:SVFIN.ORG@domainsbyproxy.com
Tech ID:CR45828777
Tech Name:Registration Private
Tech Organization
omains By Proxy, LLCTech Street1
omainsByProxy.comTech Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Tech Street3:
Tech City:Scottsdale
Tech State/Province:Arizona
Tech Postal Code:85260
Tech Country:US
Tech Phone:+1.4806242599
Tech Phone Ext.:
Tech FAX:+1.4806242598
Tech FAX Ext.:
Tech Email:SVFIN.ORG@domainsbyproxy.com
Name Server:NS66.DOMAINCONTROL.COM
Name Server:NS65.DOMAINCONTROL.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
Someone hiding behind GoDaddy -- can't say I'm surprised. What a shady outfit.
I entered a search string containing all those user IDs and the cause appears to be from an automated source, lots of similar reports, including one person who publishes an auto-log of failed authentication attemps.
It's common knowledge -- or should be, anyway -- that AWS requires the use of public/private key pairs for ssh-ing into instances, so these "attackers" targeting AWS must really be morons.
Comment