Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Nigel Gilbert
Nigel Gilbert Author
User level: Level 1
29 points

authentication error for root

My Console log is reporting


Aug 26 09:51:51 dusty.soc.surrey.ac.uk sshd[55759]: error: PAM: authentication error for root from 43.229.53.61 via xxx.xxx.xxx.xxx

Aug 26 09:51:52 --- last message repeated 2 times ---

Aug 26 09:51:52 dusty.soc.surrey.ac.uk sshd[55759]: Received disconnect from 43.229.53.61: 11: [preauth]

Aug 26 09:51:52 dusty com.apple.xpc.launchd[1] (com.openssh.sshd.A47023ED-BE65-4C76-9B00-29758E252D09[55759]): Service exited with abnormal code: 255

Aug 26 09:51:52 dusty com.apple.xpc.launchd[1] (com.openssh.sshd.20454266-7548-4986-9D89-85429AA7E981): Service instances do not support events yet.


every few seconds (I have replaced my IP address with xxx.xxx.xxx.xxx in the above). I assume that this indicates that someone is trying to crack the root password (but failing so far).


It is a nuisance to have the log filled up with such messages. Is there a way of stopping access before the remote host gets to try ssh passwords? Note that my Mac mini is acting as a web server, and I need to have ssh access to it to maintain it (so I can't just disable sshd).

Mac mini, OS X Yosemite (10.10.5)

Posted on Aug 26, 2015 1:59 AM

Reply
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Posted on Aug 26, 2015 2:30 AM

If the attacking IP address - as shown in your log this is 43.229.53.61 is the same every single time, then you could set your firewall to block that IP address completely. You could also lookup the ISP for that address and report the attack to them and they may disconnect that customer.


Indeed a quick Google search seems to show that 43.229.53.61 is a notorious address and is located in Hong Kong and that the ISP is Hot Net Limited.


See http://www.abuseipdb.com/report-history/43.229.53.61


You might want to think about setting up a VPN server. Then you can still allow HTTP access for everyone, but limit SSH access to only you and only via the VPN connection. This is not a complete cure as the scum out there will of course try to hack your VPN but it will help.

View in context
7 replies
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Aug 26, 2015 2:30 AM in response to Nigel Gilbert

If the attacking IP address - as shown in your log this is 43.229.53.61 is the same every single time, then you could set your firewall to block that IP address completely. You could also lookup the ISP for that address and report the attack to them and they may disconnect that customer.


Indeed a quick Google search seems to show that 43.229.53.61 is a notorious address and is located in Hong Kong and that the ISP is Hot Net Limited.


See http://www.abuseipdb.com/report-history/43.229.53.61


You might want to think about setting up a VPN server. Then you can still allow HTTP access for everyone, but limit SSH access to only you and only via the VPN connection. This is not a complete cure as the scum out there will of course try to hack your VPN but it will help.

Reply
User profile for user: Csound1
Csound1
User level: Level 9
59,973 points

Aug 26, 2015 6:08 AM in response to Nigel Gilbert

Whenever an anonymous stranger asks you to download software from an Internet site be very wary, This can be an effective attack vector, if chosen with malicious intent or insufficient knowledge it can be used to cripple your Mac. Ensure that that the person who posts it leaves a method of contact for you to use in the event that something goes wrong, and always backup your Mac before running any downloaded software that claims to 'protect' your Mac.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Aug 26, 2015 6:22 AM in response to Linc Davis

Linc Davis wrote:


There is no point in manually blocking crackers, because the attempts could come from any of millions of addresses all over the world. You can use something like this:


http://www.sshguard.net/


Normally you would be absolutely right, however in this case there does appear to have been a prolonged period of attacks from the same single IP address as per http://www.abuseipdb.com/report-history/43.229.53.61 so in this case it might be worth trying.


I would also still recommend the use of a VPN server and not allowing SSH directly via the Internet. As a general principle one should only enable Internet access to the bare minimum needed of network ports and use a VPN for everything else. In this case I don't believe Internet access for SSH is needed and can be done instead via a VPN connection.

Reply
User profile for user: Csound1
Csound1
User level: Level 9
59,973 points

Aug 27, 2015 7:57 AM in response to Nigel Gilbert

Nigel Gilbert wrote:


While in general I'm sure you are right to be cautious about accepting recommendations, in this case I haven't found any reason to be suspicious of sshguard, and note that it is available not only from its own web site, but also through Mac Ports and Homebrew. I have installed the Mac Ports version and will monitor it to see how it does.

It is not sshguard that you should be cautious of.

Reply

authentication error for root

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up