From owner-freebsd-questions@FreeBSD.ORG Wed Aug 24 13:27:12 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8556616A41F for ; Wed, 24 Aug 2005 13:27:12 +0000 (GMT) (envelope-from nawcom@nawcom.no-ip.com) Received: from nawcom.no-ip.com (adsl-69-208-120-128.dsl.sfldmi.ameritech.net [69.208.120.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id E71DD43D45 for ; Wed, 24 Aug 2005 13:27:11 +0000 (GMT) (envelope-from nawcom@nawcom.no-ip.com) Received: from [192.168.212.7] (unknown [192.168.212.7]) by nawcom.no-ip.com (Postfix) with ESMTP id E488671EE; Wed, 24 Aug 2005 09:48:59 -0400 (EDT) Message-ID: <430C75BC.4030704@nawcom.no-ip.com> Date: Wed, 24 Aug 2005 09:27:24 -0400 From: nawcom User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pat Maddox , freebsd-questions@freebsd.org References: <20050824042234.12260.qmail@web34103.mail.mud.yahoo.com> <810a540e0508232127737d91fb@mail.gmail.com> In-Reply-To: <810a540e0508232127737d91fb@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 13:27:12 -0000 i usually run a swatch script to monitor ssh login attempts and deny them via ipfw - most of them are addresses from people running linux trying to bruteforce there way in - the list can get pretty long. also whats most funny is that alot of those people try windows server exploits on me.... damn script kiddies.... -Ben Pat Maddox wrote: >It's not that big of a deal...they didn't get in or anything. If >you've got a server that's always connected to the internet, you'll >see people trying to break in all the time. The more popular your >server, the more frequent the attempts. This is just someone trying >to log in via SSH - so as long as you have good passwords on all your >accounts, and disable remote root login, you're fine. > >You may consider denying access after X failed login attempts. > > >On 8/23/05, ro ro wrote: > > >>Hi All, >> >>I was browsing through my log files and noticed that >>someone (or many people) is trying to gain illegal >>access to my server (see snippet from log files >>below). >> >>The below log file clearly indicates someone trying to >>hackaway at my personal server. >> >>I performed the following steps: >> >>nmap -v 210.0.142.153 >> >>and noticed that this person/institution had port 80 >>and 21 open. >> >>I visited their website and it appears to be someone >>from hongkong. >>http://www.chkpcc.edu.hk/ >> >>HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON >>THEIR WEBSITE >>------------------------------------------------------------- >>Confucian Ho Kwok Pui Chun College ? ? >>? ? ? ? ? ? >>? ? >>Address ??: Fu Shin Est., Taipo, >>N.T., HKSAR >>????????? >>Tel ??: 852-2666-5926 >>Fax ??: 852-2660-7988 >>E-mail ??: info@chkpcc.edu.hk >>------------------------------------------------------------- >> >> >>When I saw the logs for the first time. I took the >>following steps: >>1) AllowUsers in sshd contained only users that I >>wanted to have access to my ssh >>2) Created a decent rulest within ipfw that permitted >>incoming access to only two ports ssh and http >> >>I took the issue of creating a good firewall quite >>lightly and now I regret that decision.. now I have >>learnt... Can someone provide me with guidance on this >>issue and advise me on next steps to take action >>against such losers. >> >>Thanks >>RV >> >>Aug 23 08:19:03 free sshd[22519]: Illegal user lp from >>210.0.142.153 >>Aug 23 08:19:06 free sshd[22521]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:08 free sshd[22523]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:10 free sshd[22525]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:12 free sshd[22527]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:15 free sshd[22529]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:17 free sshd[22531]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:19 free sshd[22533]: Illegal user admin >>from 210.0.142.153 >>Aug 23 08:19:22 free sshd[22535]: User root not >>allowed because not listed in AllowUsers >>Aug 23 08:19:24 free sshd[22537]: User root not >>allowed because not listed in AllowUsers >>Aug 23 08:19:27 free sshd[22539]: User root not >>allowed because not listed in AllowUsers >>Aug 23 08:19:29 free sshd[22541]: User root not >>allowed because not listed in AllowUsers >>Aug 23 08:19:33 free sshd[22543]: User root not >>allowed because not listed in AllowUsers >>Aug 23 08:19:35 free sshd[22545]: User root not >>allowed because not listed in AllowUsers >>Aug 23 08:19:37 free sshd[22547]: Illegal user apache >>from 210.0.142.153 >>Aug 23 08:19:40 free sshd[22549]: Illegal user dan >>from 210.0.142.153 >>Aug 23 08:19:42 free sshd[22551]: Illegal user electra >>from 210.0.142.153 >>Aug 23 08:19:44 free sshd[22553]: Illegal user student >>from 210.0.142.153 >>Aug 23 08:19:47 free sshd[22555]: Illegal user school >>from 210.0.142.153 >>Aug 23 08:19:49 free sshd[22557]: User mysql not >>allowed because not listed in AllowUsers >> >> >>Aug 11 20:16:10 free sshd[21585]: Illegal user test >>from 210.245.197.16 >>Aug 11 20:16:12 free sshd[21587]: Illegal user guest >>from 210.245.197.16 >>Aug 11 20:16:14 free sshd[21589]: Illegal user admin >>from 210.245.197.16 >>Aug 11 20:16:16 free sshd[21591]: Illegal user admin >>from 210.245.197.16 >>Aug 11 20:16:23 free sshd[21593]: Illegal user user >>from 210.245.197.16 >>Aug 11 20:16:32 free sshd[21601]: Illegal user test >>from 210.245.197.16 >> >>Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from >>61.145.222.10 >>Aug 14 03:39:26 free sshd[32379]: Illegal user a from >>61.145.222.10 >>Aug 14 03:39:31 free sshd[32381]: Illegal user a from >>61.145.222.10 >>Aug 14 03:39:38 free sshd[32383]: Illegal user abuse >>from 61.145.222.10 >>Aug 14 10:47:49 free sshd[33623]: Illegal user admin >>from 64.222.146.197 >>Aug 14 10:47:51 free sshd[33625]: Illegal user >>administrator from 64.222.146.197 >>Aug 14 10:47:52 free sshd[33627]: Illegal user jack >>from 64.222.146.197 >>Aug 14 10:47:53 free sshd[33629]: Illegal user marvin >>from 64.222.146.197 >>Aug 14 10:47:58 free sshd[33631]: Illegal user andres >>from 64.222.146.197 >>Aug 14 10:47:59 free sshd[33633]: Illegal user barbara >>from 64.222.146.197 >>Aug 14 10:48:01 free sshd[33635]: Illegal user adine >>from 64.222.146.197 >>Aug 14 10:48:02 free sshd[33637]: Illegal user test >>from 64.222.146.197 >>Aug 14 10:48:04 free sshd[33639]: Illegal user guest >>from 64.222.146.197 >>Aug 14 10:48:07 free sshd[33641]: Illegal user db from >>64.222.146.197 >> >>Aug 23 08:18:40 free sshd[22499]: Illegal user demo >>from 210.0.142.153 >>Aug 23 08:18:43 free sshd[22501]: Illegal user >>postgres from 210.0.142.153 >>Aug 23 08:18:45 free sshd[22503]: Illegal user >>postmaster from 210.0.142.153 >>Aug 23 08:18:47 free sshd[22505]: Illegal user >>postgres from 210.0.142.153 >>Aug 23 08:18:49 free sshd[22507]: Illegal user >>postgres from 210.0.142.153 >>Aug 23 08:18:52 free sshd[22509]: Illegal user ftp >>from 210.0.142.153 >>Aug 23 08:18:54 free sshd[22511]: User news not >>allowed because not listed in AllowUsers >>Aug 23 08:18:56 free sshd[22513]: Illegal user demo >>from 210.0.142.153 >>Aug 23 08:18:58 free sshd[22515]: Illegal user >>demouser from 210.0.142.153 >>Aug 23 08:19:01 free sshd[22517]: User sshd not >>allowed because not listed in AllowUsers >> >> >> >> >> >> >> >> >>__________________________________________________ >>Do You Yahoo!? >>Tired of spam? Yahoo! Mail has the best spam protection around >>http://mail.yahoo.com >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> >> >> >>------------------------------------------------------------------------ >> >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>