Deal with it. Make sure the passwords are secure. These happen all day long to everyone on the Internet.
Likely the machines themselves are someone else's hacked machines so any 'punishment' will be directed at the wrong people. things to try: Move SSH to a different port, use PF to block the IP's or rate limit, use something like portsentry to watch for these kinds of attacks and block them automatically (being careful not to lock yourself out :-). --Bryan On Nov 26, 2007 6:56 PM, badeguruji <[EMAIL PROTECTED]> wrote: > I just discovered by chance that, someone is > constantly trying to break into my openbsd box from: > > 201.244.17.162 [corporativos24417-162.etb.net.co] > 203.113.85.26 > 211.20.79.85 > 71.159.221.78 > 82.207.116.209 > > whois details on each IP go to South America, Bangkok, > Taiwan... all over the world! Although i have sent > email to the email address in whois output, but the > attacker may be spoofing the IP. > > By the pattern of attempt i can tell it is the same > user. I am asking the communitie's help to how to > block and, more properly, punish this unethical user. > this user is running the attack constantly. I will > have to shutdown the box for now and come back at > later time when someone had posted some solution on > the list. > > My box is behind router-NAT which is allowing ssh. I > am not sure how this guy can get to my box which has > pvt IP address from the internet thru the firewall. > > I looked for blocking access depending on source IP in > my dsl-router, but it is not that versatile. > > I have now also setup hosts.allow and DenyUsers/Groups > in ssh config. is that enough? > > here are some excerts from my logs: > > Nov 9 03:24:51 <myserver> sshd[15822]: Did not > receive identification string from 218.76.217.234 > > Nov 10 16:55:19 <myserver> sshd[29183]: Did not > receive identification string from 82.207.116.209 > Nov 10 16:58:58 <myserver> sshd[21261]: Failed > password for root from 82.207.116.209 port 35194 ssh2 > Nov 10 16:58:59 <myserver> sshd[5372]: Received > disconnect from 82.207.116.209: 11: Bye Bye > > Nov 17 07:41:15 <myserver> sshd[3254]: Failed password > for root from 219.145.142.30 port 55232 ssh2 > Nov 17 07:41:15 <myserver> sshd[27682]: Received > disconnect from 219.145.142.30: 11: Bye Bye > > Nov 21 07:51:16 <myserver> sshd[12865]: Did not > receive identification string from 201.244.17.162 > Nov 21 07:53:38 <myserver> sshd[18020]: reverse > mapping checking getaddrinfo for corporativos24417-162 > .etb.net.co [201.244.17.162] failed - POSSIBLE > BREAK-IN ATTEMPT! > Nov 21 07:53:38 <myserver> sshd[18020]: Failed > password for root from 201.244.17.162 port 56137 ssh2 > Nov 21 07:53:38 <myserver> sshd[19158]: Received > disconnect from 201.244.17.162: 11: Bye Bye > > and, > > Nov 21 08:20:56 <myserver> sshd[13104]: Did not > receive identification string from 222.231.60.88 > Nov 21 15:58:25 <myserver> sshd[16851]: Did not > receive identification string from 82.207.116.209 > Nov 21 16:00:46 <myserver> sshd[23577]: Failed > password for root from 82.207.116.209 port 55925 ssh2 > Nov 21 16:00:46 <myserver> sshd[6084]: Received > disconnect from 82.207.116.209: 11: Bye Bye > > and, > Nov 22 00:46:33 <myserver> sshd[18504]: Did not > receive identification string from 61.159.228.193 > Nov 22 08:41:41 <myserver> sshd[2410]: Did not receive > identification string from 71.159.221.78 > Nov 22 08:42:25 <myserver> sshd[9687]: Failed password > for root from 71.159.221.78 port 63731 ssh2 > Nov 22 08:42:25 <myserver> sshd[8814]: Received > disconnect from 71.159.221.78: 11: Bye Bye > > and, > Nov 23 23:14:08 <myserver> sshd[26235]: Failed > password for root from 211.20.79.85 port 54407 ssh2 > Nov 23 23:14:08 <myserver> sshd[16180]: Received > disconnect from 211.20.79.85: 11: Bye Bye > > > > this is interesting... > $ whois 71.159.221.78 > AT&T Internet Services SBCIS-SIS80 (NET-71-128-0-0-1) > 71.128.0.0 - > 71.159.255.255 > ECLIPSE MARKETING-060311011540 > SBC07115922107229060311011557 (NET-71-159-221-72-1) > 71.159.221.72 - > 71.159.221.79 > > # ARIN WHOIS database, last updated 2007-11-24 19:10 > # Enter ? for additional hints on searching ARIN's > WHOIS database. > $ > > > > $ whois 201.244.17.162 > > OrgName: Latin American and Caribbean IP address > Regional Registry > OrgID: LACNIC > Address: Rambla Republica de Mexico 6125 > City: Montevideo > StateProv: > PostalCode: 11400 > Country: UY > > ReferralServer: whois://whois.lacnic.net > > NetRange: 201.0.0.0 - 201.255.255.255 > CIDR: 201.0.0.0/8 > NetName: LACNIC-201 > NetHandle: NET-201-0-0-0-1 > Parent: > NetType: Allocated to LACNIC > NameServer: NS.LACNIC.NET > NameServer: NS2.DNS.BR > NameServer: TINNIE.ARIN.NET > NameServer: NS-SEC.RIPE.NET > NameServer: SEC3.APNIC.NET > NameServer: NS3.AFRINIC.NET > Comment: This IP address range is under LACNIC > responsibility > Comment: for further allocations to users in LACNIC > region. > Comment: Please see http://www.lacnic.net/ for > further details, > Comment: or check the WHOIS server located at > whois.lacnic.net > RegDate: 2003-04-03 > Updated: 2006-10-23 > > OrgTechHandle: LACNIC-ARIN > OrgTechName: LACNIC Whois Info > OrgTechPhone: > OrgTechEmail: [EMAIL PROTECTED] > > # ARIN WHOIS database, last updated 2007-11-24 19:10 > # Enter ? for additional hints on searching ARIN's > WHOIS database. > > % Joint Whois - whois.lacnic.net > % This server accepts single ASN, IPv4 or IPv6 > queries > > > % Copyright LACNIC lacnic.net > % The data below is provided for information purposes > % and to assist persons in obtaining information > about or > % related to AS and IP numbers registrations > % By submitting a whois query, you agree to use this > data > % only for lawful purposes. > % 2007-11-25 03:07:31 (BRST -02:00) > > inetnum: 201.244.17.160/29 > status: reallocated > owner: UNIVERSIDAD ANTONIO NARIQO MEDELLIN > ownerid: CO-UANM-LACNIC > responsible: CARLOS ALBERTO LOPEZ VERA > address: Avda. La Playa Calle 52 No, 40, 88 > address: 9999 - Medellin - An > country: CO > phone: +57 4 2161003 [] > owner-c: CAV11 > tech-c: CAV11 > created: 20070212 > changed: 20070212 > inetnum-up: 201.244/16 > > nic-hdl: CAV11 > person: CARLOS ALBERTO LOPEZ VERA > e-mail: [EMAIL PROTECTED] > address: Avda. La Playa Calle 52 No, 40, 88 > address: 9999 - Medellin - An > country: CO > phone: +57 4 2161003 [] > created: 20070212 > changed: 20070212 > > % whois.lacnic.net accepts only direct match queries. > % Types of queries are: POCs, ownerid, CIDR blocks, IP > % and AS numbers. > > > > Sorry for the discomfort. > > -BG > > > > ________________________________ > ~~Kalyan-mastu~~
