Date: Thu, 28 Oct 2004 15:38:23 -0500 From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: Vulpes Velox <vvelox@vvelox.net> Cc: freebsd-questions@freebsd.org Subject: Re: Hacker activity? Message-ID: <418158BF.2060202@daleco.biz> In-Reply-To: <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net> References: <6.0.3.0.2.20041028102537.04be6ec0@nano.net> <20041028133250.77c30503@vixen42.24-119-122-191.cpe.cableone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Vulpes Velox wrote: >On Thu, 28 Oct 2004 10:39:32 -0600 >Steve Suhre <steve@Antero.com> wrote: > > > >>I'm not sure if this is the correct group...but I'm getting some >>weird activity on the network. The security reports will show 50-100 >>attempts to login to a server, most as root but some are attempts to >>login to other seemingly random account names. The login attempts >>are through ssh or telnet, all come from the same remote server, and >>all fail. I'm also getting some odd cgi calls to a script on a >>secure ssl server. There's nothing that this particular script could >>do for a hacker, but the script is sent a random string, sometimes >>many times a minute, other times it's every 2 -3 minutes. I grabbed >>the ip address and blocked it, and about 10 minutes later it had >>moved to another ip. I'm now blocking a range of ip's. These don't >>seem like enough iterations to be very successful, the odds are >>overwhelmingly in favor of the server at this rate... Does anyone >>have a clue what might be happening or where I should go to find >>out? >> >> > >If it all from a common subnet, I would block it. I would then whois >to see who if there is a abuse addy I could complain to or the like. > >Also man login.conf. > >Sounds like some jerk singled you out is is possibly is trying it all >on a subnet. Back in before moving stuff off common ports, I would get >massive amounts of that crap. It was basically ppl trying any thing in >the colleges address space. > > Since you didn't show a log, Steve, I'm wondering if it looks something like this: auth.log:Oct 11 00:23:29 foobox sshd[44542]: Failed password for root from 61.100.12.92 port 35161 ssh2 auth.log:Oct 11 00:23:31 foobox sshd[44544]: Failed password for root from 61.100.12.92 port 35193 ssh2 auth.log:Oct 11 00:23:34 foobox sshd[44546]: Failed password for root from 61.100.12.92 port 35228 ssh2 auth.log:Oct 11 00:23:36 foobox sshd[44548]: Failed password for root from 61.100.12.92 port 35270 ssh2 auth.log:Oct 11 00:23:39 foobox sshd[44550]: Failed password for root from 61.100.12.92 port 35309 ssh2 auth.log:Oct 12 01:50:12 foobox sshd[46231]: Illegal user test from 203.212.4.173 auth.log:Oct 12 01:50:15 foobox sshd[46233]: Illegal user guest from 203.212.4.173 auth.log:Oct 12 01:50:17 foobox sshd[46235]: Illegal user admin from 203.212.4.173 auth.log:Oct 12 01:50:19 foobox sshd[46237]: Illegal user admin from 203.212.4.173 auth.log:Oct 12 01:50:22 foobox sshd[46239]: Illegal user user from 203.212.4.173 auth.log:Oct 12 01:50:24 foobox sshd[46241]: Failed password for root from 203.212.4.173 port 55657 ssh2 auth.log:Oct 12 01:50:27 foobox sshd[46243]: Failed password for root from 203.212.4.173 port 55696 ssh2 auth.log:Oct 12 01:50:29 foobox sshd[46245]: Failed password for root from 203.212.4.173 port 55734 ssh2 auth.log:Oct 12 01:50:32 foobox sshd[46247]: Illegal user test from 203.212.4.173 I think this has been discussed at some length on security@. Automated scripts from compromised machines are banging away at whatever addresses they can find a telnet or ssh port open on, looking for people who use "foo" or "candy" as their passwords .... For starters, use good passwords if you use passwords at all. Probably you should be using key-based authentication, or something beefy like that (I know nothing of Kerberos, for example, but it might be a possibility ... <?>) You can certainly set some things in your sshd_config (AllowUsers and AllowGroups have been discussed) and there is that note in /etc/hosts.allow: "wrapping sshd isn't a good idea ...", but I do it on all my boxes except one. I'm usually on a known subnet, there are no other administrators or remote users, and in the rare instance when I'm on a box with a "not allowed" address, I connect to my other boxes through the one ... I guess the next step, then, would be scripting something to parse and delete this crap from the logs ... Kevin Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?418158BF.2060202>