Decoding “POSSIBLE BREAK-IN ATTEMPT” in /var/log/secure: SSH Security Analysis & Mitigation Strategies


3 views

The log message "POSSIBLE BREAK-IN ATTEMPT" appears when your SSH server (sshd) detects suspicious activity during the reverse DNS lookup process. This specific warning triggers when:

  • The client IP fails reverse DNS resolution (PTR record lookup)
  • The forward DNS confirmation (A/AAAA record) doesn't match the original IP
  • Common brute-force patterns are detected

Your logs show a classic brute-force pattern from IP 222.237.78.139:

Invalid user edu1
Invalid user test1 
Invalid user test

Each attempt triggers the warning because:

  1. The PTR record (222-237-78-139.tongkni.co.kr) exists but fails getaddrinfo() verification
  2. The attacker cycles through common username guesses
  3. All attempts disconnect immediately after failure (Bye Bye)

While your key-based auth prevented access, the exposure still creates risks:

Risk Severity
SSH service discovery Medium
Brute-force attempts High
Log spam filling disks Low

1. Restore iptables rules:

# Sample rules to restrict SSH access
iptables -A INPUT -p tcp --dport 22 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

2. Enhance sshd_config:

# /etc/ssh/sshd_config additions
MaxAuthTries 3
LoginGraceTime 1m
PermitRootLogin no
UseDNS no # Disables reverse DNS checks

For CentOS 5.x systems, consider these additional measures:

Fail2Ban implementation:

# fail2ban jail.local snippet
[sshd]
enabled = true
maxretry = 3
findtime = 3600
bantime = 86400

Port knocking setup:

# Example knockd configuration
[options]
    UseSyslog

[openSSH]
    sequence = 7000,8000,9000
    seq_timeout = 5
    command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Create a monitoring script for /var/log/secure:

#!/bin/bash
# monitor_ssh_attempts.sh
LOG_FILE="/var/log/secure"
ALERT_THRESHOLD=5

tail -Fn0 $LOG_FILE | while read line ; do
  echo "$line" | grep "POSSIBLE BREAK-IN ATTEMPT" && \
  let count=count+1
  if [ $count -gt $ALERT_THRESHOLD ]; then
    echo "SSH brute force detected: $count attempts" | mail -s "SSH Alert" admin@example.com
    count=0
  fi
done
  • Migrate from CentOS 5.x (EOL since 2017)
  • Implement SSH certificate-based authentication
  • Consider moving SSH to non-standard port (weigh pros/cons)
  • Set up centralized logging for multiple servers

The "POSSIBLE BREAK-IN ATTEMPT!" message in your /var/log/secure indicates that your SSH server detected suspicious activity during a connection attempt. Specifically, this warning appears when:

  1. A client connects to your SSH service
  2. The server attempts reverse DNS lookup (PTR record) for the client's IP
  3. The lookup fails or returns inconsistent results

From your logs, we can see a pattern of failed brute-force attempts:

Apr 10 06:39:27 echo sshd[22297]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 06:39:31 echo sshd[22324]: Invalid user edu1 from 222.237.78.139
Apr 10 06:39:35 echo sshd[22336]: Invalid user test1 from 222.237.78.139

The attacker is trying common usernames (edu1, test1, etc.) from IP 222.237.78.139. The break-in attempt warning appears because the reverse DNS lookup for this IP failed.

While concerning, this doesn't necessarily mean a successful breach:

  • Failed Authentication: All attempts show "Invalid user"
  • Key-based Protection: Your SSH authorized_keys requirement prevented access
  • Common Attack Pattern: This is typical bot behavior scanning for weak credentials

Here are concrete steps to improve your SSH security:

1. Implement Fail2Ban

Automatically block repeated failed attempts:

# Install fail2ban
yum install fail2ban

# Configure SSH protection
cat > /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
maxretry = 3
bantime = 86400
EOF

service fail2ban start
chkconfig fail2ban on

2. Change SSH Port and Use Firewall Rules

# Edit SSH config
sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config

# Update iptables
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
service iptables save
service sshd restart

3. Enable Two-Factor Authentication

Add Google Authenticator for additional security:

# Install required packages
yum install google-authenticator

# Configure for SSH
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
service sshd restart

Create a monitoring script to track SSH attempts:

#!/bin/bash
# Monitor SSH break-in attempts
LOGFILE="/var/log/secure"
PATTERN="POSSIBLE BREAK-IN ATTEMPT"

tail -fn0 "$LOGFILE" | \
while read line ; do
    if echo "$line" | grep -q "$PATTERN"; then
        IP=$(echo "$line" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}')
        echo "[$(date)] Possible intrusion from $IP - $line"
        # Optional: Add auto-blocking here
    fi
done
  • Regularly update SSH and system packages
  • Disable password authentication completely (PasswordAuthentication no in sshd_config)
  • Implement port knocking for additional obscurity
  • Consider setting up VPN access instead of exposed SSH