Hi,

I have a Fedora 11 server exposed to the Internet through the DMZ in my Astaro security box. Every morning I get an email listing all of the bad attempts to gain ssh access. Most days I get one or two IP addresses that have tried hundreds of times to log in as root, unknown, and/or other well known users. As to date, none have been successful. Every time I find an IP address that has tried this, I look up the network that the IP belongs to, and send them an email along with log entries showing when the foreign host tried to break in. I then add an extra line to iptables blocking the entire class C network around the IP in question. I've been doing this for a few months now, and hopefully, I've helped eliminate at least one or two hackers. (I would love to see footage of an F-16 rolling in on their home, and dropping napalm, but, I would settle for just knowing that they lost their ISP.

My question is that last week when I was checking my logs (/var/log/secure), I noticed that I have an entire day missing. I don't know that this is indicative of a successful break in because nothing appears to be wrong, but, I'm a little concerned. Has anybody else noticed Nov 6th missing from /var/log/secure*?

I know the server was up, and that iptables was active.

Also, I've added some additional lines to iptables after reading an article on security that was supposed to disable a given host for 5 minutes after 5 bad attempts within 5 minutes as a way to automatically block attempts without having to block the IP addresses, and this doesn't seem to be working:

Chain SSH (1 references)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 300 name: SSH_COUNTER side: source reject-with icmp-port-unreachable
SSH_BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 5 name: SSH side: source
LOG all -- 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 2 name: SSH side: source LOG flags 0 level 4 prefix `Added: '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 2 name: SSH side: source reject-with icmp-port-unreachable
LOG all -- 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: SSH_COUNTER side: source LOG flags 0 level 4 prefix `Removed: '
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH side: source

Chain SSH_BLACKLIST (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH_COUNTER side: source LOG flags 0 level 4 prefix `Blocked: '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable


If anybody has any idea why this is failing, I would appreciate your thoughts.

One other question... Is there any global authority that one should report attempted break ins to? I would love to contribute in a meaningful way to putting some hackers away.


Regards,


Jerry Lumpkins

+1 for effort and not to temper your enthusiasm but unfortunately most SOHO ISPs don't have the manpower to deal with it adequately. Often these well-meaning reports will get filed in the bit bucket.


Also a cracker may use any set of intermediaries so this may be an already compromised server or home machine. A cracker may or may not be interested in recovering or compromising it again and just move on. Economics of cracking and such.


Does this also apply to your other logs? Any other indication of system changes on or leading up to that day?


I don't know about others but I don't read 'iptables -L' well: I'd rather see actual iptables rules instead.


With the amount of machines getting scanned (all) versus the amount of damage done (none) the only parties I know would be interested in data for trending purposes would be Dshield (http://www.dshield.org) and Mywatchmen (http://www.mynetwatchman.com/).