abuse@email.com security warnings

emetib · 09-20-2004, 07:45 PM

thanks for taking the time to read this.

i get an email sent to me each day from my server for a system check, the first part of it is the security violations.

this is my question. i notice that i get someone trying to crack into me each day. i.e.-
Sep 19 17:32:23 cerberus sshd[11293]: Failed password for illegal user test from 80.53.45.254 port 32778 ssh2
Sep 19 17:32:25 cerberus sshd[2939]: Illegal user guest from 80.53.45.254
Sep 19 17:32:25 cerberus sshd(pam_unix)[2939]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ft254.internetdsl.tpnet.pl
Sep 19 17:32:27 cerberus sshd[2939]: Failed password for illegal user guest from 80.53.45.254 port 32861 ssh2
Sep 19 17:32:30 cerberus sshd[24054]: Illegal user admin from 80.53.45.254
Sep 19 17:32:30 cerberus sshd(pam_unix)[24054]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=ft254.internetdsl.tpnet.pl

should i send the abuse line an email stating that someone on their network is trying to crack me? should i put the ip into my hosts.deny? should i do both, or just let it fly knowing that my system is doing what it should be doing?

i've ran the ip through whois and have the abuse address. when looking at the whois output, they are pretty particular or what they only want to see sent to that address. i feel i'm would be complying with their ideals. -
remarks: In case of abuse (intrusion attempts, hacking,
remarks: spamming or other unaccepted behavior) from
remarks: TP S.A. address space, please mail only to:

any thoughts?

i would think that putting the ip into the hosts.deny would drop the whole class since it's a broadcast address that i'm seeing.

micxz · 09-20-2004, 07:51 PM

http://www.linuxquestions.org/questi...hreadid=215431

Yep it's most likely 80.53.45.254 is infected or some kiddie is using this box to scan/test your server.

emetib · 09-20-2004, 09:34 PM

thanks for the link.

cheers.

XavierP · 09-21-2004, 12:30 PM

Code:

$ host 80.53.45.254
254.45.53.80.in-addr.arpa domain name pointer ft254.internetdsl.tpnet.pl.
$ dig 80.53.45.254

; <<>> DiG 9.2.3 <<>> 80.53.45.254
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30612
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;80.53.45.254.                  IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2004092100 1800 900 604800 86400

;; Query time: 162 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Tue Sep 21 18:30:06 2004
;; MSG SIZE  rcvd: 105

Don't know if it helps, but the above is the result of host (ip address) and dig (ip address). Definitely report them to their and your ISP and try to block that particular ip address from your server.

micxz · 09-21-2004, 01:36 PM

Or you could call eh?:

Holder's Contact object:
company: TP S.A. - "POLPAK"
street: UL. NOWOGRODZKA 47a
city: 00-695 WARSZAWA
location: PL
handle: nsk80879
phone: +48.225850800
last modified: 2004.01.17
registrar: nask

just kidding'

emetib · 09-24-2004, 06:39 PM

i sent the isp an email. same with another ip that i noticed in my log. i've put them into my fw actions file to deny them from 22. i figure it's not real fair to block a whole broadcast range from using my http site.

cheers.