Re: what to do?
From: Anthony J Placilla (anthony_placilla_at_suth.com)
Date: 08/30/05
- Previous message: Joe George: "RE: FW: Your opinion on Skype"
- In reply to: Bill Smith: "what to do?"
- Next in thread: Steve.Cummings_at_barclayscapital.com: "Re: what to do?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Bill Smith <vinet138@yahoo.com> Date: Tue, 30 Aug 2005 09:33:30 -0400
On Thu, 2005-08-25 at 00:30 -0700, Bill Smith wrote:
> Hi Guys,
>
> I noticed that someone is trying to hacker into my
> machine. Please see below is the content of
> /var/log/security.
> what I would like some advice of you guys is, what
> will I do with these people?
> btw, I do have FW
>
> Cheers,
>
> Bill
>
> Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer
> from 80.68.204.50
> Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf
> from 80.68.204.50
> Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf
> from 80.68.204.50
> Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose
> from 80.68.204.50
> Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges
> from 80.68.204.50
> Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling
> from 80.68.204.50
> Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge
> from 80.68.204.50
> Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham
> from 80.68.204.50
> Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm
> from 80.68.204.50
> Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa
> from 80.68.204.50
> Aug 24 17:56:47 tiger sshd[8281]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:48 tiger sshd[8283]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:48 tiger sshd[8285]: Invalid user green
> from 80.68.204.50
> Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey
> from 80.68.204.50
> Aug 24 17:56:51 tiger sshd[8293]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:52 tiger sshd[8295]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:52 tiger sshd[8297]: Invalid user group
> from 80.68.204.50
> Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon
> from 80.68.204.50
> Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci
> from 80.68.204.50
Take a look at DenyHosts
http://denyhosts.sourceforge.net/index.html
very flexible & configurable. Run out of cron at a schedule of your
choosing it will black hole the offending IPs via hosts.deny
or sshd_sentry
http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry
never tried it.
IPtables can also be used. Netfilter has a "recent" module that can be
implemented something like this: (watch out for the line wraps)
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j DROP
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j
DNAT --to-destination $INTERNAL:22
-A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
$INTERNAL:22
This blocks attempts for 1 minute after 3 attempts (successful or
failed, so if someone forgets their password, they may trip it as well).
-- Tony Placilla, RHCT anthony_placilla@suth.com
- Previous message: Joe George: "RE: FW: Your opinion on Skype"
- In reply to: Bill Smith: "what to do?"
- Next in thread: Steve.Cummings_at_barclayscapital.com: "Re: what to do?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
