Security Basics mailing list archives
Re: what to do?
From: "Bow Sineath" <bow.sineath () gmail com>
Date: Fri, 26 Aug 2005 20:57:31 -0400
Unfortuately these types of attacks are fairly common. I see them on a regular basis and they have yet to cause me any problems. That doesn't mean that they aren't a security risk however.
I typically watch for the attacks and use ipfw or tcp wrappers to deny connections from IP blocks that show up in my logs. In your case I would deny connections from 80.68.0.0/16, however that will deny anyone from the 80.68.0.0 subnet. If you feel that these attacks are a serious threat then I would recommend doing the reverse and only allowing certain IP addresses through your firewall to sshd.
Also, make sure that all of the accounts on your machine have secure passwords. I would also recommend editing your sshd_config file and editing the AllowUsers line (also set PermitRootLogin to no). There are also some active intrusion detection systems that will detect failed connection attempts and automatically block IP addresses that have too many failed connections (I believe portsentry does this). There are a lot of ways you can deal with these attacks but to be honest, the best way is to just make sure all the accounts on your system have secure passwords and properly configure sshd. I block the IPs just to keep my logs clean and prevent any future, more advanced attacks.
Bow Sineath Class of 2006, the Citadel sineathj1 () citadel edu - bow.sineath () gmail com----- Original Message ----- From: "Bill Smith" <vinet138 () yahoo com>
To: <security-basics () securityfocus com> Sent: Thursday, August 25, 2005 3:30 AM Subject: what to do?
Hi Guys, I noticed that someone is trying to hacker into my machine. Please see below is the content of /var/log/security. what I would like some advice of you guys is, what will I do with these people? btw, I do have FW Cheers, Bill Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer from 80.68.204.50 Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf from 80.68.204.50 Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf from 80.68.204.50 Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose from 80.68.204.50 Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose from 80.68.204.50 Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose from 80.68.204.50 Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges from 80.68.204.50 Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling from 80.68.204.50 Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge from 80.68.204.50 Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham from 80.68.204.50 Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham from 80.68.204.50 Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham from 80.68.204.50 Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm from 80.68.204.50 Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa from 80.68.204.50 Aug 24 17:56:47 tiger sshd[8281]: Invalid user green from 80.68.204.50 Aug 24 17:56:48 tiger sshd[8283]: Invalid user green from 80.68.204.50 Aug 24 17:56:48 tiger sshd[8285]: Invalid user green from 80.68.204.50 Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey from 80.68.204.50 Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey from 80.68.204.50 Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey from 80.68.204.50 Aug 24 17:56:51 tiger sshd[8293]: Invalid user group from 80.68.204.50 Aug 24 17:56:52 tiger sshd[8295]: Invalid user group from 80.68.204.50 Aug 24 17:56:52 tiger sshd[8297]: Invalid user group from 80.68.204.50 Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon from 80.68.204.50 Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci from 80.68.204.50 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.com
Current thread:
- what to do? Bill Smith (Aug 26)
- Re: what to do? Jayson Anderson (Aug 29)
- Re: what to do? AragonX (Aug 30)
- Re: what to do? Ansgar -59cobalt- Wiechers (Aug 29)
- Re: what to do? Alexander Bolante (Aug 29)
- Re: what to do? Robert Escue (Aug 29)
- Re: what to do? Bow Sineath (Aug 29)
- Re: what to do? Leif Ericksen (Aug 31)
- Re: what to do? Duncan (Aug 29)
- Re: what to do? Jonathan Loh (Aug 29)
- RE: what to do? Eduardo Suzuki (Aug 30)
- Re: what to do? morph84 (Aug 29)
- Re: what to do? cam (Aug 30)
- Re: what to do? zp (Aug 30)
- Re: what to do? cam (Aug 30)
- Re: what to do? Barrie Dempster (Aug 29)
- Re: what to do? paavan shah (Aug 29)
- Re: what to do? Alexander Klimov (Aug 30)
(Thread continues...)
- Re: what to do? Jayson Anderson (Aug 29)