Re: what to do?

• Previous message: Ansgar -59cobalt- Wiechers: "Re: Windows Server 2000 port lock down"
• In reply to: Bill Smith: "what to do?"
• Next in thread: Duncan: "Re: what to do?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Bill Smith" <vinet138@yahoo.com>, <security-basics@securityfocus.com>
Date: Fri, 26 Aug 2005 20:57:31 -0400

Unfortuately these types of attacks are fairly common. I see them on a
regular basis and they have yet to cause me any problems. That doesn't mean
that they aren't a security risk however.

I typically watch for the attacks and use ipfw or tcp wrappers to deny
connections from IP blocks that show up in my logs. In your case I would
deny connections from 80.68.0.0/16, however that will deny anyone from the
80.68.0.0 subnet. If you feel that these attacks are a serious threat then I
would recommend doing the reverse and only allowing certain IP addresses
through your firewall to sshd.

Also, make sure that all of the accounts on your machine have secure
passwords. I would also recommend editing your sshd_config file and editing
the AllowUsers line (also set PermitRootLogin to no). There are also some
active intrusion detection systems that will detect failed connection
attempts and automatically block IP addresses that have too many failed
connections (I believe portsentry does this). There are a lot of ways you
can deal with these attacks but to be honest, the best way is to just make
sure all the accounts on your system have secure passwords and properly
configure sshd. I block the IPs just to keep my logs clean and prevent any
future, more advanced attacks.

Bow Sineath
Class of 2006, the Citadel
sineathj1@citadel.edu - bow.sineath@gmail.com

----- Original Message -----
From: "Bill Smith" <vinet138@yahoo.com>
To: <security-basics@securityfocus.com>
Sent: Thursday, August 25, 2005 3:30 AM
Subject: what to do?

> Hi Guys,
>
> I noticed that someone is trying to hacker into my
> machine. Please see below is the content of
> /var/log/security.
> what I would like some advice of you guys is, what
> will I do with these people?
> btw, I do have FW
>
> Cheers,
>
> Bill
>
> Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf
> from 80.68.204.50
> Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf
> from 80.68.204.50
> Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:47 tiger sshd[8281]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:48 tiger sshd[8283]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:48 tiger sshd[8285]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:51 tiger sshd[8293]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:52 tiger sshd[8295]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:52 tiger sshd[8297]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci
> from 80.68.204.50
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

• Previous message: Ansgar -59cobalt- Wiechers: "Re: Windows Server 2000 port lock down"
• In reply to: Bill Smith: "what to do?"
• Next in thread: Duncan: "Re: what to do?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]