finding responsible contact info for an ip?

sneakyimp · 10-12-2005, 09:51 PM

i know how to use arin/apnic/lacnic to find contact information for a particular ip, but i'm having real trouble with this ip address:

202.225.133.27 (flh9aae027.tky.mesh.ad.jp)

i'm getting thousands of dictionary hack attempts from this machine and would like to request that it be shut down. or find some to go smash it to pieces.

the arin/whois searches generally only return vague nic addresses and such.

any help would be much appreciated.

also for those of you concerned about dictionary attacks, there is a useful script for scouring access logs here:

http://www.logwatch.org/

anomie · 10-12-2005, 09:59 PM

While you work on finding out who s/he is (someone in Japan obviously), why not block the IP from login attempts? I take it this person is trying to login via ssh?

You need to add his IP (or his whole network if you'd like) to your deny list. Which distro / version?

P.S. I certainly hope you have disabled direct root logins via ssh. That tiny step will make a cracker's job a lot harder.

sneakyimp · 10-13-2005, 05:16 AM

THANX for tip...been reading about these hacks. will do that no root ssh thing. i got fedora. not sure version.

anomie · 10-13-2005, 09:53 AM

Not sure if FC uses the inetd super server, but if it does you can block this guy through the tcp wrappers mechanism.

Are there only certain legitimate networks that should be connecting to your ssh service? If so, a really good idea is to add an entry like:

Code:

sshd : 192.168.1.0/255.255.255.0 : ALLOW

to your /etc/hosts.allow file. Then on the last line of your /etc/hosts.allow file, add a line

Code:

ALL : ALL : DENY

(Note: You can also use the /etc/hosts.deny file for this purpose.)

If you are using the xinetd super server, then there are different ways to do the same thing. This along with disabling the direct root login will make the cracker's job tough.

Make sure that if you're going to implement this you will have direct access to the box (in case you accidently put a wrong setting in /etc/hosts.allow you want to be able to change it).

anomie · 10-13-2005, 09:57 AM

OT:

And as a general Linux/OpenSSH gripe (hey, we're allowed to criticize that which we love sometimes): It is simply idiotic for the default install to allow direct root login via ssh. There is no reason that a new admin should have to learn about this the hard way. (Like by brute force attacks as demonstrated here.)

I also do not like it that by default users do not have to be in a wheel group to use su. But that's another story.