Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, so someone tried hacking my box...below is a smal and I mean VERY small portion of his attempts....probably less than 1% of the toal amount of usernames the person used. the usernames went all the way up to 'zeus', but he/she never got in.
well, is there anything that can be done? whois the IP and send an email to the ISP???
thx!
Apr 17 18:38:23 localhost sshd[4323]: Invalid user anonymous from ::ffff:219.25.236.163
Apr 17 18:38:26 localhost sshd[4323]: Failed password for invalid user anonymous from ::ffff:219.25.236.163 port 47679 ssh2
Apr 17 18:38:27 localhost sshd[4326]: Invalid user passwd from ::ffff:219.25.236.163
Apr 17 18:38:30 localhost sshd[4326]: Failed password for invalid user passwd from ::ffff:219.25.236.163 port 47762 ssh2
Apr 17 18:38:32 localhost sshd[4329]: Invalid user chuck from ::ffff:219.25.236.163
Apr 17 18:38:34 localhost sshd[4329]: Failed password for invalid user chuck from ::ffff:219.25.236.163 port 47839 ssh2
Apr 17 18:38:36 localhost sshd[4332]: Invalid user darkman from ::ffff:219.25.236.163
Apr 17 18:38:38 localhost sshd[4332]: Failed password for invalid user darkman from ::ffff:219.25.236.163 port 48328 ssh2
Apr 17 18:38:40 localhost sshd[4335]: Invalid user hostmaster from ::ffff:219.25.236.163
Apr 17 18:38:42 localhost sshd[4335]: Failed password for invalid user hostmaster from ::ffff:219.25.236.163 port 48816ssh2
Apr 17 18:38:44 localhost sshd[4338]: Invalid user jeffrey from ::ffff:219.25.236.163
Apr 17 18:38:46 localhost sshd[4338]: Failed password for invalid user jeffrey from ::ffff:219.25.236.163 port 49289 ssh2
Apr 17 18:38:48 localhost sshd[4341]: Invalid user loverd from ::ffff:219.25.236.163
Apr 17 18:38:50 localhost sshd[4341]: Failed password for invalid user loverd from ::ffff:219.25.236.163 port 49362 ssh2
There is a large thread at the top of this forum discussing this issue and measures you can take to prevent these attacks. In most cases they originate from machines that were cracked using the very same attack, so I usually recommend doing a whois and sending a polite email to the abuse@ISP address. Make sure to include any relevant log portions with the offending IP and timestamps.
that is exactly what i did, but wasn't sure if there was anything else. they never actually got in, but just attempted. I think I might post a list of all the user names he used so people know what NOT to choose as user names for their accounts....one of them comes to mind that is probably common - webadmin. I imagine once the script locates a user name it runs a subroutine of multiple passwords, but dunno for sure, so choosing the username is equaly as important as choosing a good password.
When I started to see a lot of these brute force attacks about 6 months ago really pick up I started to politely email abuse@--- although to date I never got a response back from anyone, which sort of annoyed me. I mean I would appreciate someone reporting weird behavior from my end. Anyway once I tried to telnet a box that had tried for about 20 minutes to ssh me, and lo and behold telnet was running (on what was reported as a debian machine in france). Didnt know if the orginal user left telnet on and used it (which might of lead to his compromise) or this was a backdoor for the cracker to get back in and do more exploits.
I saw a code a while back that supposedly was what some people were running to do these attacks. Some of the username / password combos in the code were ridiculous : username : james, password : test123
but then again, I am sure there are lazy admin / users out there...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.