I was just wanting to post this ip that's increasingly attempting to login to my system.


Failed logins from these:
adm/password from 68.251.82.222: 2 time(s)
apache/password from 68.251.82.222: 1 time(s)
mysql/password from 68.251.82.222: 1 time(s)
nobody/password from 68.251.82.222: 1 time(s)
operator/password from 68.251.82.222: 1 time(s)
root/password from 68.251.82.222: 59 time(s)

**Unmatched Entries**
Received disconnect from 68.251.82.222: 11: Bye Bye
input_userauth_request: illegal user patrick
Failed password for illegal user patrick from 68.251.82.222 port 47268 ssh2
Received disconnect from 68.251.82.222: 11: Bye Bye
input_userauth_request: illegal user patrick
Failed password for illegal user patrick from 68.251.82.222 port 47769 ssh2
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye
Received disconnect from 68.251.82.222: 11: Bye Bye



The complete list for today is a few feet long, but you get the idea.

Anyone else seeing this same IP in their logs?

david@zeus:~> whois 68.251.82.222
Ameritech Electronic Commerce SBCIS-AMER-100902 (NET-68-248-0-0-1)
68.248.0.0 - 68.255.255.255

If this is happening via your ssh server, you can do a few things:
1. Don't use ssh!
2. Block them with the /etc/hosts.allow and /etc/hosts.deny config files
3. Block EVERYONE and only specify certain IP address allowed to connect to which services.

Here are some examples: (hosts.deny)
I'm going to assume that the ranged I specified is for all computers for that one host, but you can just do this in hosts.deny:
Note: these files only affect those services invoked via inetd (and tcp_wrappers), or that have support for tcp_wrappers built-in. There are also other files, one being /etc/hosts_options.

Let me know if you have any luck!

I haven't seen that actual IP but I do see an increase in the number of ssh attempts even on my own servers.. lots ol fun!

Where is the log file that logs connections such as these? I would like to learn how to check such events.

Usually just in /var/log/messages

i think i noticed on another thread a couple of days ago that alot of us were getting the same type of blocked attempts on ssh. it would appear to be some sort of script-kiddie with a brute force dictionary attack on ssh. i have noticed many of the same messages (from a different ip) in my logs.

perhaps block all further attempts from an ip after X failed logins through ssh?

Since I know the IPs of the computers from which I want to use SSH, I just block all IPs for every service (by adding "all:all" in my hosts.deny file), and selectively allow the IPs that I needed for certain services. That's always seemed the safest thing to do. Before I did this, I got ssh attempts like that all the time. They were never successful, which, once I learned of them, I was surprised, because I stupidly used a proper noun for my root password. I was lucky. (I have, of course, since changed my root password to something obscure that only my family members would be able to guess, and it would be difficult for them)

I use dialup a lot when I'm on the road. I guess I could start blocking the ip's that are trying to get in but I really don't think they are going to get in this lifetime.

Unless maybe there is some new way to decipher a pattern or something.

The funny thing is they are trying to log in as root and some other invalid usernames but not any valid ssh usernames yet.

It is somewhat amusing to watch them try. I was thinking about sending them a message like this...


ssh StopTryingToGetIntoMySystemBoneHead@68.251.82.222

Today there is a different ip with the same thing so I guess they are on some dialup or dsl that they can change easily.


jdruln

I have a program called LogWatch that emails me daily with anything odd that it finds in my logs.

Haha that's an interesting way to send a message...

This LogWatch.. http://freshmeat.net/projects/logwatch/ is that what you're referring to?

If it's a word there's still the chance a simple dictionary search will find it so it's best to use random passwords.
Look into apg for example. It generates random passwords but also pronounceable random passwords you can easily memorize.

Arjan

Oh man that's awesome. I've been looking for one of those

i've gotten a bunch of these also. i have a cron job that sends them to me. i have sent out emails to the isp's of the addresses. from the ten-fifteen that i've sent i have received 4 replies, 3 of them static replies "thanks, we'll check into it." and one actually saying that they will take a look at the ip and narrow it down to whom is doing it.

something else, if you're going to send emails with part of your message, make sure that you put it in the body of the message and not as an attachment. just like most of us, we don't want to have to scan our emails before opening them up.

what i've done is to just put the addresses in my /etc/hosts.deny and then drop the whole block of addresses from access. yes i could just allow only the one's that i know, but i'm also hosting someone who comes from a dhcp enviroment, dial-up, so i would be blocking him also.

isn't it fun having your own servers to take care of

Scan? For what?

I believe most - if not all - of these attempts (yes, I've got them too) come from already compromised machines. It would have to be a real newbie script kiddie to try brute force entry on entire subnets from their own machines.

I've been tempted to set up a honey pot after weeks of logwatch mails choke full with warning messages from ssh.


Håkan

make sure that you have enough ram to run that vmware. a honeypot would be fun to play with.

one thing though. what it seems like is there using passwds that are the user name. so a basic script like that wouldn't be that hard to make. if they're trying a brute force attack you would see multiple root-denied in those logs. not just root, admin, user, .....

so if you have your machines set up with good passwds, and then make it so that you can't log into them without keys, then i wouldn't worry to much about it.

for me, you can't get into my machines unless you have a key. no plain test passwds are allowed. they're real easy to generate so i don't understand why more people don't use them. oh, and if you have a laptop, don't keep your key there. keep it on one of the keychain fobs that people have now. your less likely to loose that at the same time that you have your laptop stolen/compromised.

cheers.