LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-25-2004, 10:09 PM   #31
micxz
Senior Member
 
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75

All my web servers, personal servers and everyone I know at home are getting hit with these atttemps. These scans are happening for months now. I'm almost willing to bet anyone who runs ssh `cat /var/log/messages | grep test` they will see many attempts from different IPs.

I suggest we all use key logins only and even run ssh on a alternate port if possible. Adding them to hosts.deny or blocking them via iptables in real time is even better.
 
Old 09-26-2004, 12:42 AM   #32
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
Quote:
Originally posted by DrNeil
Lol there you try to minimise thread numbers and its wrong again.
I asked you once nicely not to spam the stickied threads. They are for informational purposes and filling them with random comments results in people not reading them and potentially missing important information, which I don't appreciate. If you feel the need to discuss this further, mail me off the list.
 
Old 09-27-2004, 11:33 AM   #33
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Geesh... I had one guy "scan" our servers over six THOUSAND times this weekend. What a PITA. I sent a complaint to his hosting company's abuse department... who knows if anything will come of it.
 
Old 09-27-2004, 03:11 PM   #34
micxz
Senior Member
 
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75
I've had good responses from network abuse teams working for different ISP's. Some even write back and thank you.
 
Old 09-28-2004, 02:56 AM   #35
dannyk1
Member
 
Registered: Aug 2004
Location: Geelong, Vic Australia
Distribution: Gentoo, Ubuntu,and sometimes something from billy gates (when Im desperate)
Posts: 179

Rep: Reputation: 31
I'm used to cleaning out spam from my email but this shit is starting to get out of hand

Looks like the code has been updated to throw more passwords at a server

Look at how many hits I got from one idiot in one attack

failed logins from these:
Administrator/password from 216.189.163.85: 1 Time(s)
accounting/password from 216.189.163.85: 1 Time(s)
adm/password from 216.189.163.85: 1 Time(s)
admin/password from 216.189.163.85: 4 Time(s)
administrator/password from 216.189.163.85: 1 Time(s)
anon/password from 216.189.163.85: 1 Time(s)
apache/password from 216.189.163.85: 1 Time(s)
boss/password from 216.189.163.85: 1 Time(s)
checkfs/password from 216.189.163.85: 1 Time(s)
cisco/password from 216.189.163.85: 6 Time(s)
client/password from 216.189.163.85: 1 Time(s)
cvs/password from 216.189.163.85: 1 Time(s)
debug/password from 216.189.163.85: 1 Time(s)
dni/password from 216.189.163.85: 1 Time(s)
echo/password from 216.189.163.85: 1 Time(s)
fal/password from 216.189.163.85: 1 Time(s)
fax/password from 216.189.163.85: 1 Time(s)
ftp/password from 216.189.163.85: 1 Time(s)
games/password from 216.189.163.85: 1 Time(s)
gnats/password from 216.189.163.85: 1 Time(s)
gopher/password from 216.189.163.85: 1 Time(s)
guest/password from 216.189.163.85: 1 Time(s)
intel/password from 216.189.163.85: 1 Time(s)
kermit/password from 216.189.163.85: 1 Time(s)
login/password from 216.189.163.85: 1 Time(s)
lp/password from 216.189.163.85: 1 Time(s)
lynx/password from 216.189.163.85: 1 Time(s)
mail/password from 216.189.163.85: 1 Time(s)
man/password from 216.189.163.85: 1 Time(s)
manager/password from 216.189.163.85: 1 Time(s)
master/password from 216.189.163.85: 1 Time(s)
monitor/password from 216.189.163.85: 1 Time(s)
mysql/password from 216.189.163.85: 1 Time(s)
netscreen/password from 216.189.163.85: 1 Time(s)
news/password from 216.189.163.85: 1 Time(s)
nobody/password from 216.189.163.85: 1 Time(s)
operator/password from 216.189.163.85: 2 Time(s)
oracle/password from 216.189.163.85: 1 Time(s)
postgres/password from 216.189.163.85: 1 Time(s)
postmaster/password from 216.189.163.85: 1 Time(s)
qsvr/password from 216.189.163.85: 1 Time(s)
root/password from 216.189.163.85: 8 Time(s)
security/password from 216.189.163.85: 1 Time(s)
sync/password from 216.189.163.85: 1 Time(s)
sys/password from 216.189.163.85: 1 Time(s)
sysadmin/password from 216.189.163.85: 2 Time(s)
sysop/password from 216.189.163.85: 1 Time(s)
tech/password from 216.189.163.85: 1 Time(s)
test/password from 216.189.163.85: 6 Time(s)
user/password from 216.189.163.85: 1 Time(s)
uucp/password from 216.189.163.85: 1 Time(s)
www/password from 216.189.163.85: 1 Time(s)
 
Old 09-28-2004, 07:19 AM   #36
craig34
LQ Newbie
 
Registered: Sep 2004
Distribution: FreeBSD
Posts: 8

Rep: Reputation: 0
Blocking these IPs

I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?

Code:
ALL : 207.158.8.236 : deny
Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?
 
Old 09-29-2004, 09:01 PM   #37
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Re: Blocking these IPs

Quote:
Originally posted by craig34
I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?

Code:
ALL : 207.158.8.236 : deny
Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?
whois 207.158.8.236 will give you the CIDR range. Then you can add
Code:
ALL:  207.158.0.0/18 : deny
to your hosts.allow file.

I've been blocking these at the firewall. Any thoughts on if its better to block at the firewall vs. using a hosts.allow as mentioned here?

Also, does anyone have any tips for managing all of these IPs across multiple servers? Its getting to be a pain to add an IP to each of our servers every day.
 
Old 09-30-2004, 08:20 AM   #38
craig34
LQ Newbie
 
Registered: Sep 2004
Distribution: FreeBSD
Posts: 8

Rep: Reputation: 0
Re: Re: Blocking these IPs

Quote:
Originally posted by TruckStuff
whois 207.158.8.236 will give you the CIDR range. Then you can add
Code:
ALL:  207.158.0.0/18 : deny
to your hosts.allow file.
Now exactly what IPs will this block? I basically want to block IPs in the range of 207.159.8.236 through 207.159.8.245 and nothing else from that range. Not 207.159.8.145, not 207.159.7.65.
 
Old 09-30-2004, 10:33 AM   #39
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
That CIDR would block their entire network. I'd rather not mess with them in the future, but I suppose that's personal opinion.
 
Old 09-30-2004, 10:47 AM   #40
craig34
LQ Newbie
 
Registered: Sep 2004
Distribution: FreeBSD
Posts: 8

Rep: Reputation: 0
Quote:
Originally posted by TruckStuff
That CIDR would block their entire network. I'd rather not mess with them in the future, but I suppose that's personal opinion.
Well, isn't it possible that there are lots of other people in that network that are not related to the offender in question?
 
Old 09-30-2004, 10:54 AM   #41
lappen
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Slackware 9.1 / Gentoo
Posts: 83

Rep: Reputation: 15
I accidentally forgot to disable root login through SSH, so when I got back from my vacation one guy had been trying to login into my server with the root account for about 2weeks with a delay of a couple of seconds between each attempt.. scary
 
Old 09-30-2004, 01:42 PM   #42
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Well, isn't it possible that there are lots of other people in that network that are not related to the offender in question?
Yes, but its also possible there are more people on that network who will try the same thing. If my users start complaining, then I'll worry about it. You don't get much room for forgiveness with me when it comes to security.

Anywho, I think we're hijacking this thread.

Last edited by TruckStuff; 09-30-2004 at 01:47 PM.
 
Old 09-30-2004, 01:54 PM   #43
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
Quote:
Originally posted by TruckStuff
Anywho, I think we're hijacking this thread.
If it has anything to do with dealing with these SSH attempts, additional observations or solutions, then feel free to post them here.
 
Old 09-30-2004, 01:57 PM   #44
craig34
LQ Newbie
 
Registered: Sep 2004
Distribution: FreeBSD
Posts: 8

Rep: Reputation: 0
Alright, well it doesn't look like a whole lot of people are seeing this but I will pose the question anyway.

Q: What is your decision making process in blocking IP addresses?

Personally, I will not block an IP for simply one set of (unsuccesful) attempts on my site. If there are more than 10 attempts in a row, or attempts over a few days, then I will block that IP. If the IP is located in Taiwan or China, I'll block it right then and there b/c we basically sell no product there.

I'm a bit paranoid about blocking IPs, because I don't want to lose potential sales.
 
Old 09-30-2004, 04:02 PM   #45
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
You can always just restrict those IP ranges from ssh access and leave potentially legitimate services (web,mail,etc) open. Obviously if you do some kind of outright blacklist you'll reduce these attempts overall, but consequently you're more likely to block legitimate traffic as well. If that's the route you take, it will really come down to a trade off of whether you can afford to block IP ranges in exchange for security (which is only something you can decide). Honestly, spending your effort hardening your system and maintaining security will be a better payoff than worrying about the best way to implement your blacklist. Then you can just ban the occasional determined repeat offender without much consideration.
 
  


Reply

Tags
hostsdeny, keys, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 09:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM
SSH login attempts - how to get rid of the automated malware? alexberk Linux - Security 1 05-24-2005 04:57 AM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 09:36 PM


All times are GMT -5. The time now is 03:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration