Re: what to do?

[<Steve.Cummings () barclayscapital com>]

Looks to me some sort of automated script have seen this before

Could you tie down ssh access on perimeter via router to this box firewall ip you have one

Ips/ids would also be able to stop this assuming u wrote a signature to stop this that way if hacker changes ip will 
still stop it assuming none of these users are legit
 

-----Original Message-----
From: Anthony J Placilla <anthony_placilla () suth com>
To: Bill Smith <vinet138 () yahoo com>
CC: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Tue Aug 30 14:33:30 2005
Subject: Re: what to do?

On Thu, 2005-08-25 at 00:30 -0700, Bill Smith wrote:
> Hi Guys,
>
> I noticed that someone is trying to hacker into my
> machine. Please see below is the content of
> /var/log/security.
> what I would like some advice of you guys is, what
> will I do with these people?
> btw, I do have FW
>
> Cheers,
>
> Bill
>
> Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf
> from 80.68.204.50
> Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf
> from 80.68.204.50
> Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:47 tiger sshd[8281]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:48 tiger sshd[8283]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:48 tiger sshd[8285]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:51 tiger sshd[8293]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:52 tiger sshd[8295]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:52 tiger sshd[8297]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci
> from 80.68.204.50


Take a look at DenyHosts
http://denyhosts.sourceforge.net/index.html

very flexible & configurable. Run out of cron at a schedule of your
choosing it will black hole the offending IPs via hosts.deny

or sshd_sentry
http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry

never tried it.

IPtables can also be used. Netfilter has a "recent" module that can be
implemented something like this: (watch out for the line wraps)

-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "

-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j DROP

-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j
DNAT --to-destination $INTERNAL:22

-A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
$INTERNAL:22

This blocks attempts for 1 minute after 3 attempts (successful or
failed, so if someone forgets their password, they may trip it as well).

-- 
Tony Placilla, RHCT
anthony_placilla () suth com




------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------