Security Basics mailing list archives
RE: what to do?
From: Eduardo Suzuki <eduardo.ac.suzuki () gmail com>
Date: Tue, 30 Aug 2005 07:15:44 -0300
In this case make sure SSH is configured to use TCP Wrappers. If it's not, it'll bypass hosts.allow and hosts.deny. Another possibility is to block the suspicious IP addresses on your border firewall. If it's not under your responsibility, install some filtering mechanism (e.g. iptables) on the SSH machine and filter out the suspicious IP addresses. Regards, Eduardo Suzuki esuzuki_br () pop com br Eduardo.AC.Suzuki () gmail com -----Original Message----- From: Jonathan Loh [mailto:kj6loh () yahoo com] Sent: Saturday, August 27, 2005 1:05 AM To: Bill Smith; security-basics () securityfocus com Subject: Re: what to do? You could deny the host by entering ALL:80.68.204.50 in /etc/hosts.deny or if this is your private machine. Do what I do in /etc/hosts.allow enter all the IP's (ranges, hosts). and in /etc/hosts.deny. deny everybody. IE. /etc/hosts.allow sshd:a.b.c.d e.f.g.h/snm [EXCEPT i.j.k.l[/snm]] and in /etc/hosts.deny ALL:ALL This way you are only allowing various hosts access to your machine. This of course will not block ip spoofing but it will stop a lot of the attacks. If this is a corporate machine, I would do it the first way. --- Bill Smith <vinet138 () yahoo com> wrote:
Hi Guys, I noticed that someone is trying to hacker into my machine. Please see below is the content of /var/log/security. what I would like some advice of you guys is, what will I do with these people? btw, I do have FW Cheers, Bill Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf from 80.68.204.50 Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf from 80.68.204.50 Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose from 80.68.204.50 Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose from 80.68.204.50 Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose from 80.68.204.50 Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham from 80.68.204.50 Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham from 80.68.204.50 Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham from 80.68.204.50 Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:47 tiger sshd[8281]: Invalid user green from 80.68.204.50 Aug 24 17:56:48 tiger sshd[8283]: Invalid user green from 80.68.204.50 Aug 24 17:56:48 tiger sshd[8285]: Invalid user green from 80.68.204.50 Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey from 80.68.204.50 Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey from 80.68.204.50 Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey from 80.68.204.50 Aug 24 17:56:51 tiger sshd[8293]: Invalid user group from 80.68.204.50 Aug 24 17:56:52 tiger sshd[8295]: Invalid user group from 80.68.204.50 Aug 24 17:56:52 tiger sshd[8297]: Invalid user group from 80.68.204.50 Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci from 80.68.204.50 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- what to do? Bill Smith (Aug 26)
- Re: what to do? Jayson Anderson (Aug 29)
- Re: what to do? AragonX (Aug 30)
- Re: what to do? Ansgar -59cobalt- Wiechers (Aug 29)
- Re: what to do? Alexander Bolante (Aug 29)
- Re: what to do? Robert Escue (Aug 29)
- Re: what to do? Bow Sineath (Aug 29)
- Re: what to do? Leif Ericksen (Aug 31)
- Re: what to do? Duncan (Aug 29)
- Re: what to do? Jonathan Loh (Aug 29)
- RE: what to do? Eduardo Suzuki (Aug 30)
- Re: what to do? morph84 (Aug 29)
- Re: what to do? cam (Aug 30)
- Re: what to do? zp (Aug 30)
- Re: what to do? cam (Aug 30)
- Re: what to do? Barrie Dempster (Aug 29)
- Re: what to do? paavan shah (Aug 29)
- Re: what to do? Alexander Klimov (Aug 30)
- Re: what to do? Anthony J Placilla (Aug 30)
- RE: what to do? Mehmet Buyukozer (Aug 31)
- <Possible follow-ups>
- RE: what to do? Rochford, Paul (BOI Compliance) (Aug 30)
- RE: what to do? Shane Singh (Aug 30)
(Thread continues...)
- Re: what to do? Jayson Anderson (Aug 29)