How are people handling network attacks?
Dave Gavin
dgavin at davegavin.com
Sat Feb 26 10:29:06 EST 2005
Steve,
The simplest thing is to disallow root logins and move your ssh listening port
from 22 to some other port. I get these script kiddies both on my work network
and my home firewall every day and I just got tired of looking at the log
messages, so I moved my home ports to 3000 + the normal port number - (sshd
for my main workstation is on 3022) - IPCop blocks 22 and maps the various
ports to 22 on each of my internal systems. My work servers are in the process
of also being moved to different ports where possible using the sshd_config -
they won't let me move 80 and a few others, but sshd is moving.
Dave Gavin
On Sat, 26 Feb 2005 13:29:53 -0500
steve at horne.homelinux.net wrote:
>
> Hello blu --
>
> I have a cable modem connected to a "firewall" -- slackware based,
> 2.4.22, iptables. Recently I've seen an increase in the number of
> dictionary-based attacks. Log fills up with stuff like this:
> Feb 25 20:01:56 horne sshd[2407]: Failed password for root from 61.177.137.170
> port 58956 ssh2 Feb 25 20:02:05 horne sshd[2409]: Failed password for root
> from 61.177.137.170 port 59007 ssh2 Feb 25 20:02:11 horne sshd[2411]: Failed
> password for root from 61.177.137.170 port 59055 ssh2 Feb 25 20:02:17 horne
> sshd[2413]: Failed password for root from 61.177.137.170 port 59083 ssh2 Feb
> 25 20:02:27 horne sshd[2415]: Failed password for root from 61.177.137.170
> port 59115 ssh2 Feb 25 20:02:35 horne sshd[2417]: Failed password for root
> from 61.177.137.170 port 59173 ssh2 Feb 25 20:02:41 horne sshd[2419]: Failed
> password for root from 61.177.137.170 port 59206 ssh2 Feb 25 20:02:57 horne
> sshd[2421]: Failed password for root from 61.177.137.170 port 59246 ssh2
>
> Looks like a systematic attack... 8 attempts, various ports...
> Several per night, from various places.
>
> I've tried email to their providers -- when I can figure out who they are...
> just get automated responses -- basically blown off.
>
> I've taken to harvesting the log for the IP addresses and adding them to my
> firewall rules, just to annoy them, really -- (Hah)
>
> For what it's worth, here's the last 20 or so miscreants that have shown up -
> this is cut from iptables -L
>
> Do I have any other options? Can Comcast block them upstream?
> Do ISPs, in general, care about this sort of thing?
>
> Thanks,
> Steve
>
>
> =======
> Chain EXTERNAL_INPUT (2 references)
> target prot opt source destination
> DROP all -- 61-30-88-6.static.tfn.net.tw anywhere
> DROP all -- 202.175.237.42 anywhere
> DROP all -- 202.111.173.4 anywhere
> DROP all -- aribonifabbri.com.br anywhere
> DROP all -- eduD103.edu.u-ryukyu.ac.jp anywhere
> DROP all -- 90.138.76.211.symphox.com anywhere
> DROP all -- www.3d-pages.com anywhere
> DROP all -- 203.117.109.244 anywhere
> DROP all -- 218.106.161.106 anywhere
> DROP all -- bekkpc.mad.hu anywhere
> DROP all -- 202.145.138.26 anywhere
> DROP all -- 218.104.232.74 anywhere
> DROP all -- cybergsi.chungang.edu anywhere
> DROP all -- user-0c8hk8t.cable.mindspring.com anywhere
> DROP all -- 218.201.9.19 anywhere
> DROP all -- LapCarloni.pv.infn.it anywhere
> DROP all -- gedomax.mediasat.ro anywhere
> DROP all -- 165.194.84.133 anywhere
> DROP all -- 61.177.137.170 anywhere
> DROP all -- waltz3.rutgers.edu anywhere
> DROP all -- 202.110.184.100 anywhere
> CHECK_FLAGS tcp -- anywhere anywhere
> DENY_PORTS !icmp -- anywhere anywhere
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://olduvai.blu.org/mailman/listinfo/discuss
More information about the Discuss
mailing list