Security Basics mailing list archives
Re: what to do?
From: <Steve.Cummings () barclayscapital com>
Date: Tue, 30 Aug 2005 19:04:33 +0100
Looks to me some sort of automated script have seen this before Could you tie down ssh access on perimeter via router to this box firewall ip you have one Ips/ids would also be able to stop this assuming u wrote a signature to stop this that way if hacker changes ip will still stop it assuming none of these users are legit -----Original Message----- From: Anthony J Placilla <anthony_placilla () suth com> To: Bill Smith <vinet138 () yahoo com> CC: security-basics () securityfocus com <security-basics () securityfocus com> Sent: Tue Aug 30 14:33:30 2005 Subject: Re: what to do? On Thu, 2005-08-25 at 00:30 -0700, Bill Smith wrote:
Hi Guys, I noticed that someone is trying to hacker into my machine. Please see below is the content of /var/log/security. what I would like some advice of you guys is, what will I do with these people? btw, I do have FW Cheers, Bill Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf from 80.68.204.50 Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf from 80.68.204.50 Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose from 80.68.204.50 Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose from 80.68.204.50 Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose from 80.68.204.50 Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham from 80.68.204.50 Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham from 80.68.204.50 Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham from 80.68.204.50 Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:47 tiger sshd[8281]: Invalid user green from 80.68.204.50 Aug 24 17:56:48 tiger sshd[8283]: Invalid user green from 80.68.204.50 Aug 24 17:56:48 tiger sshd[8285]: Invalid user green from 80.68.204.50 Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey from 80.68.204.50 Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey from 80.68.204.50 Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey from 80.68.204.50 Aug 24 17:56:51 tiger sshd[8293]: Invalid user group from 80.68.204.50 Aug 24 17:56:52 tiger sshd[8295]: Invalid user group from 80.68.204.50 Aug 24 17:56:52 tiger sshd[8297]: Invalid user group from 80.68.204.50 Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci from 80.68.204.50
Take a look at DenyHosts http://denyhosts.sourceforge.net/index.html very flexible & configurable. Run out of cron at a schedule of your choosing it will black hole the offending IPs via hosts.deny or sshd_sentry http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry never tried it. IPtables can also be used. Netfilter has a "recent" module that can be implemented something like this: (watch out for the line wraps) -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: " -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j DROP -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT --to-destination $INTERNAL:22 -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22 This blocks attempts for 1 minute after 3 attempts (successful or failed, so if someone forgets their password, they may trip it as well). -- Tony Placilla, RHCT anthony_placilla () suth com ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
Current thread:
- Re: what to do?, (continued)
- Re: what to do? morph84 (Aug 29)
- Re: what to do? cam (Aug 30)
- Re: what to do? zp (Aug 30)
- Re: what to do? cam (Aug 30)
- Re: what to do? Barrie Dempster (Aug 29)
- Re: what to do? paavan shah (Aug 29)
- Re: what to do? Alexander Klimov (Aug 30)
- Re: what to do? Anthony J Placilla (Aug 30)
- RE: what to do? Mehmet Buyukozer (Aug 31)
- RE: what to do? Rochford, Paul (BOI Compliance) (Aug 30)
- RE: what to do? Shane Singh (Aug 30)
- Re: what to do? Steve.Cummings (Aug 30)
- RE: what to do? Shane Singh (Aug 31)
- Re: what to do? zp (Aug 31)
- Re: what to do? morph84 (Aug 29)