Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How are people handling network attacks?



 Steve,

 The simplest thing is to disallow root logins and move your ssh listening port
from 22 to some other port. I get these script kiddies both on my work network
and my home firewall every day and I just got tired of looking at the log
messages, so I moved my home ports to 3000 + the normal port number - (sshd
for my main workstation is on 3022) - IPCop blocks 22 and maps the various
ports to 22 on each of my internal systems. My work servers are in the process
of also being moved to different ports where possible using the sshd_config -
they won't let me move 80 and a few others, but sshd is moving.

 Dave Gavin

 On Sat, 26 Feb 2005 13:29:53 -0500
steve at horne.homelinux.net wrote:

> 
> Hello blu --
> 
> I have a cable modem connected to a "firewall"  -- slackware based,
> 2.4.22, iptables.  Recently I've seen an increase in the number of
> dictionary-based attacks. Log fills up with stuff like this:
> Feb 25 20:01:56 horne sshd[2407]: Failed password for root from 61.177.137.170
> port 58956 ssh2 Feb 25 20:02:05 horne sshd[2409]: Failed password for root
> from 61.177.137.170 port 59007 ssh2 Feb 25 20:02:11 horne sshd[2411]: Failed
> password for root from 61.177.137.170 port 59055 ssh2 Feb 25 20:02:17 horne
> sshd[2413]: Failed password for root from 61.177.137.170 port 59083 ssh2 Feb
> 25 20:02:27 horne sshd[2415]: Failed password for root from 61.177.137.170
> port 59115 ssh2 Feb 25 20:02:35 horne sshd[2417]: Failed password for root
> from 61.177.137.170 port 59173 ssh2 Feb 25 20:02:41 horne sshd[2419]: Failed
> password for root from 61.177.137.170 port 59206 ssh2 Feb 25 20:02:57 horne
> sshd[2421]: Failed password for root from 61.177.137.170 port 59246 ssh2
> 
> Looks like a systematic attack...  8 attempts, various ports...
> Several per night, from various places.
> 
> I've tried email  to their providers -- when I can figure out who they are...
> just get automated responses -- basically blown off.
> 
> I've taken to harvesting the log for the IP addresses and adding them to my
> firewall rules, just to annoy them, really -- (Hah)
> 
> For what it's worth, here's the last 20 or so miscreants that have shown up - 
> this is cut from iptables -L
> 
> Do I have any other options?  Can Comcast block them upstream?
> Do ISPs, in general, care about this sort of thing?
> 
>                     Thanks,
>                             Steve
> 
> 
> =======
> Chain EXTERNAL_INPUT (2 references)
> target     prot opt source               destination         
> DROP       all  --  61-30-88-6.static.tfn.net.tw  anywhere           
> DROP       all  --  202.175.237.42       anywhere           
> DROP       all  --  202.111.173.4        anywhere           
> DROP       all  --  aribonifabbri.com.br  anywhere           
> DROP       all  --  eduD103.edu.u-ryukyu.ac.jp  anywhere           
> DROP       all  --  90.138.76.211.symphox.com  anywhere           
> DROP       all  --  www.3d-pages.com     anywhere           
> DROP       all  --  203.117.109.244      anywhere           
> DROP       all  --  218.106.161.106      anywhere           
> DROP       all  --  bekkpc.mad.hu        anywhere           
> DROP       all  --  202.145.138.26       anywhere           
> DROP       all  --  218.104.232.74       anywhere           
> DROP       all  --  cybergsi.chungang.edu  anywhere           
> DROP       all  --  user-0c8hk8t.cable.mindspring.com  anywhere           
> DROP       all  --  218.201.9.19         anywhere           
> DROP       all  --  LapCarloni.pv.infn.it  anywhere           
> DROP       all  --  gedomax.mediasat.ro  anywhere           
> DROP       all  --  165.194.84.133       anywhere           
> DROP       all  --  61.177.137.170       anywhere           
> DROP       all  --  waltz3.rutgers.edu   anywhere           
> DROP       all  --  202.110.184.100      anywhere           
> CHECK_FLAGS  tcp  --  anywhere             anywhere           
> DENY_PORTS !icmp --  anywhere             anywhere           
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://olduvai.blu.org/mailman/listinfo/discuss




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org