Chinese University hacking attempt via SSH

What kind of attack are they using?

Brute force by the looks .. trying different user names .. going through the alphabet

eg.
Failed password for invalid user subscribe from 59.xx.xx.xx port 39053 ssh2
every 5 seconds

In the last 24 hours I have had the following hack attempts from

CHINANET Sichuan province network
Beijing

and currently this one:
Xiamen University Zhangzhou Campus

The same type of attack each time

How can I block China from all SSH logins ?

Some more info for you from http://denyhosts.sourceforge.net

How does DenyHosts work?

When run for the first time, DenyHosts will create a work directory. The work directory will ultimately store the data collected and the files are in a human readable format, for each editing, if necessary.

 DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is root, otherwise valid (eg. has a system account) or invalid (eg. does not have a system account).

 When DenyHosts determines that a given host has attempted to login using a non-existent user account a configurable number of attempts (this is known as the DENY_THRESHOLD_INVALID), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.

 The DENY_THRESHOLD_ROOT configuration value specifies the maximum acceptable times that the root user account can fail to login before being blocked. Typically this value is set lower than DENY_THRESHOLD_INVALID such that root level attackers are blocked earlier than other accounts. It is also a good practice to disable root logins within the sshd.conf file in conjunction with this setting. By doing so, no user can login to root@your-server and their host will be blocked from attacking other user accounts when the DENY_THRESHOLD_ROOT is reached.

 The DENY_THRESHOLD_VALID configuration value specifies the maximum acceptable times a valid user (ie. a user that exists in /etc/passwd) can fail to login before being blocked. This parameter can be helpful for those with "fat fingers". Typically this value is set higher than DENY_THRESHOLD_INVALID.

 Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.

I'm getting Segmentation faulty tree... 50% when ever I try to use apt-get at the moment.

Im running Ubuntu 10.10 .. when I try to do "do-release-upgrade" it says "No new release found"

Any suggestions ??

Maverick Meerkat is not supported any more, not since April last year. This is probably why you can't update.

I suggest you backup then do a clean install of 12.04 download available here

http://releases.ubuntu.com/precise/

Alternatively go for 12.10 but you will need to upgrade sooner.

I'm running 12.04 on the other server and get the following:

Err http://au.archive.ubuntu.com/ubuntu/ precise/universe denyhosts all 2.6-10
  Temporary failure resolving 'au.archive.ubuntu.com'
Failed to fetch http://au.archive.ubuntu.com/ubuntu/pool/universe/d/denyhosts/denyhosts_2.6-10_all.deb Temporary failure resolving 'au.archive.ubuntu.com'

Ive had this type of error for days now .. should I change where apt-get updates from ??

to what ??

Here is a link to the .deb package for 12.04:

 http://archive.ubuntu.com/ubuntu/pool/universe/d/denyhosts/denyhosts_2.6-10_all.deb

Download and save it to your "Downloads" folder (or another folder of your choice)

then in terminal type:

sudo dpkg -i ~/Downloads/denyhosts_2.6-10_all.deb

I used Downloads as an example, if you did save it there copy and paste, if you saved it to another folder, just substitute it for "Downloads"

We will work on the apt-get errors after you get this out of the way.

Thanks

Just thinking... did you set up a firewall to try to combat the hackers? If you did, it may be the reason for your

" Temporary failure resolving 'au.archive.ubuntu.com'" problem. Try disabling your firewall if you have one.

I have 3 ubuntu servers in different locations .. none of them can use apt-get successfully [Ububtu 10.10, 12.04 and 12.04]
I'm getting "Temporary failure resolving 'au.archive.ubuntu.com'" on all of them.
I notice that all of them in recent history have had SSH hacking attempts .. mostly from china as far as I can tell .. they never seem to give up trying to brute force hack.

Ive tried to look on-line to find solution to the apt-get issue but to no avail. I have to load onto USB drive and copy on-site to get the denyhosts package installed .. I suppose.

BTW .. Thanks for the help much appreciated ..

Curiously I wrote the name servers into /etc/resolv.conf .. and now apt-get works ... that is the file that says "DO NOT WRITE ... IT WILL BE OVERWRITTEN"

and now apt-get is working ... not sure what is going on there.

Can anyone tell me Y we should not write to that file .. Y its over written ...

Presumably this file is set from some where else .. for some good reason .. can any one tell me from where .. so I can set settings properly

Thanks

Thanks again I managed to install .. and will see what happens

All current issues solved .. I think I owe all the contributors.

Thanks Adam Cajander, that solved my question.