Vulpes Velox wrote:
On Thu, 28 Oct 2004 10:39:32 -0600 Steve Suhre <[EMAIL PROTECTED]> wrote:
I'm not sure if this is the correct group...but I'm getting some
weird activity on the network. The security reports will show 50-100
attempts to login to a server, most as root but some are attempts to
login to other seemingly random account names. The login attempts
are through ssh or telnet, all come from the same remote server, and
all fail. I'm also getting some odd cgi calls to a script on a
secure ssl server. There's nothing that this particular script could
do for a hacker, but the script is sent a random string, sometimes
many times a minute, other times it's every 2 -3 minutes. I grabbed
the ip address and blocked it, and about 10 minutes later it had
moved to another ip. I'm now blocking a range of ip's. These don't
seem like enough iterations to be very successful, the odds are
overwhelmingly in favor of the server at this rate... Does anyone
have a clue what might be happening or where I should go to find
out?
If it all from a common subnet, I would block it. I would then whois to see who if there is a abuse addy I could complain to or the like.
Also man login.conf.
Sounds like some jerk singled you out is is possibly is trying it all
on a subnet. Back in before moving stuff off common ports, I would get
massive amounts of that crap. It was basically ppl trying any thing in
the colleges address space.
Since you didn't show a log, Steve, I'm wondering if it looks something like this:
auth.log:Oct 11 00:23:29 foobox sshd[44542]: Failed password for root from 61.100.12.92 port 35161 ssh2
auth.log:Oct 11 00:23:31 foobox sshd[44544]: Failed password for root from 61.100.12.92 port 35193 ssh2
auth.log:Oct 11 00:23:34 foobox sshd[44546]: Failed password for root from 61.100.12.92 port 35228 ssh2
auth.log:Oct 11 00:23:36 foobox sshd[44548]: Failed password for root from 61.100.12.92 port 35270 ssh2
auth.log:Oct 11 00:23:39 foobox sshd[44550]: Failed password for root from 61.100.12.92 port 35309 ssh2
auth.log:Oct 12 01:50:12 foobox sshd[46231]: Illegal user test from 203.212.4.173
auth.log:Oct 12 01:50:15 foobox sshd[46233]: Illegal user guest from 203.212.4.173
auth.log:Oct 12 01:50:17 foobox sshd[46235]: Illegal user admin from 203.212.4.173
auth.log:Oct 12 01:50:19 foobox sshd[46237]: Illegal user admin from 203.212.4.173
auth.log:Oct 12 01:50:22 foobox sshd[46239]: Illegal user user from 203.212.4.173
auth.log:Oct 12 01:50:24 foobox sshd[46241]: Failed password for root from 203.212.4.173 port 55657 ssh2
auth.log:Oct 12 01:50:27 foobox sshd[46243]: Failed password for root from 203.212.4.173 port 55696 ssh2
auth.log:Oct 12 01:50:29 foobox sshd[46245]: Failed password for root from 203.212.4.173 port 55734 ssh2
auth.log:Oct 12 01:50:32 foobox sshd[46247]: Illegal user test from 203.212.4.173
I think this has been discussed at some length on [EMAIL PROTECTED] Automated scripts
from compromised machines are banging away at whatever addresses they can find
a telnet or ssh port open on, looking for people who use "foo" or "candy" as their
passwords ....
For starters, use good passwords if you use passwords at all. Probably you
should be using key-based authentication, or something beefy like that (I
know nothing of Kerberos, for example, but it might be a possibility ... <?>)
You can certainly set some things in your sshd_config (AllowUsers and
AllowGroups have been discussed) and there is that note in /etc/hosts.allow:
"wrapping sshd isn't a good idea ...", but I do it on all my boxes except one.
I'm usually on a known subnet, there are no other administrators or remote
users, and in the rare instance when I'm on a box with a "not allowed" address,
I connect to my other boxes through the one ...
I guess the next step, then, would be scripting something to parse and delete
this crap from the logs ...
Kevin Kinsey _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
