Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
All my web servers, personal servers and everyone I know at home are getting hit with these atttemps. These scans are happening for months now. I'm almost willing to bet anyone who runs ssh `cat /var/log/messages | grep test` they will see many attempts from different IPs.
I suggest we all use key logins only and even run ssh on a alternate port if possible. Adding them to hosts.deny or blocking them via iptables in real time is even better.
Originally posted by DrNeil Lol there you try to minimise thread numbers and its wrong again.
I asked you once nicely not to spam the stickied threads. They are for informational purposes and filling them with random comments results in people not reading them and potentially missing important information, which I don't appreciate. If you feel the need to discuss this further, mail me off the list.
Geesh... I had one guy "scan" our servers over six THOUSAND times this weekend. What a PITA. I sent a complaint to his hosting company's abuse department... who knows if anything will come of it.
Distribution: Gentoo, Ubuntu,and sometimes something from billy gates (when Im desperate)
Posts: 188
Rep:
I'm used to cleaning out spam from my email but this shit is starting to get out of hand
Looks like the code has been updated to throw more passwords at a server
Look at how many hits I got from one idiot in one attack
failed logins from these:
Administrator/password from 216.189.163.85: 1 Time(s)
accounting/password from 216.189.163.85: 1 Time(s)
adm/password from 216.189.163.85: 1 Time(s)
admin/password from 216.189.163.85: 4 Time(s)
administrator/password from 216.189.163.85: 1 Time(s)
anon/password from 216.189.163.85: 1 Time(s)
apache/password from 216.189.163.85: 1 Time(s)
boss/password from 216.189.163.85: 1 Time(s)
checkfs/password from 216.189.163.85: 1 Time(s)
cisco/password from 216.189.163.85: 6 Time(s)
client/password from 216.189.163.85: 1 Time(s)
cvs/password from 216.189.163.85: 1 Time(s)
debug/password from 216.189.163.85: 1 Time(s)
dni/password from 216.189.163.85: 1 Time(s)
echo/password from 216.189.163.85: 1 Time(s)
fal/password from 216.189.163.85: 1 Time(s)
fax/password from 216.189.163.85: 1 Time(s)
ftp/password from 216.189.163.85: 1 Time(s)
games/password from 216.189.163.85: 1 Time(s)
gnats/password from 216.189.163.85: 1 Time(s)
gopher/password from 216.189.163.85: 1 Time(s)
guest/password from 216.189.163.85: 1 Time(s)
intel/password from 216.189.163.85: 1 Time(s)
kermit/password from 216.189.163.85: 1 Time(s)
login/password from 216.189.163.85: 1 Time(s)
lp/password from 216.189.163.85: 1 Time(s)
lynx/password from 216.189.163.85: 1 Time(s)
mail/password from 216.189.163.85: 1 Time(s)
man/password from 216.189.163.85: 1 Time(s)
manager/password from 216.189.163.85: 1 Time(s)
master/password from 216.189.163.85: 1 Time(s)
monitor/password from 216.189.163.85: 1 Time(s)
mysql/password from 216.189.163.85: 1 Time(s)
netscreen/password from 216.189.163.85: 1 Time(s)
news/password from 216.189.163.85: 1 Time(s)
nobody/password from 216.189.163.85: 1 Time(s)
operator/password from 216.189.163.85: 2 Time(s)
oracle/password from 216.189.163.85: 1 Time(s)
postgres/password from 216.189.163.85: 1 Time(s)
postmaster/password from 216.189.163.85: 1 Time(s)
qsvr/password from 216.189.163.85: 1 Time(s)
root/password from 216.189.163.85: 8 Time(s)
security/password from 216.189.163.85: 1 Time(s)
sync/password from 216.189.163.85: 1 Time(s)
sys/password from 216.189.163.85: 1 Time(s)
sysadmin/password from 216.189.163.85: 2 Time(s)
sysop/password from 216.189.163.85: 1 Time(s)
tech/password from 216.189.163.85: 1 Time(s)
test/password from 216.189.163.85: 6 Time(s)
user/password from 216.189.163.85: 1 Time(s)
uucp/password from 216.189.163.85: 1 Time(s)
www/password from 216.189.163.85: 1 Time(s)
I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?
Code:
ALL : 207.158.8.236 : deny
Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?
Originally posted by craig34 I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?
Code:
ALL : 207.158.8.236 : deny
Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?
whois 207.158.8.236 will give you the CIDR range. Then you can add
Code:
ALL: 207.158.0.0/18 : deny
to your hosts.allow file.
I've been blocking these at the firewall. Any thoughts on if its better to block at the firewall vs. using a hosts.allow as mentioned here?
Also, does anyone have any tips for managing all of these IPs across multiple servers? Its getting to be a pain to add an IP to each of our servers every day.
Originally posted by TruckStuff whois 207.158.8.236 will give you the CIDR range. Then you can add
Code:
ALL: 207.158.0.0/18 : deny
to your hosts.allow file.
Now exactly what IPs will this block? I basically want to block IPs in the range of 207.159.8.236 through 207.159.8.245 and nothing else from that range. Not 207.159.8.145, not 207.159.7.65.
Originally posted by TruckStuff That CIDR would block their entire network. I'd rather not mess with them in the future, but I suppose that's personal opinion.
Well, isn't it possible that there are lots of other people in that network that are not related to the offender in question?
I accidentally forgot to disable root login through SSH, so when I got back from my vacation one guy had been trying to login into my server with the root account for about 2weeks with a delay of a couple of seconds between each attempt.. scary
Well, isn't it possible that there are lots of other people in that network that are not related to the offender in question?
Yes, but its also possible there are more people on that network who will try the same thing. If my users start complaining, then I'll worry about it. You don't get much room for forgiveness with me when it comes to security.
Anywho, I think we're hijacking this thread.
Last edited by TruckStuff; 09-30-2004 at 01:47 PM.
Alright, well it doesn't look like a whole lot of people are seeing this but I will pose the question anyway.
Q: What is your decision making process in blocking IP addresses?
Personally, I will not block an IP for simply one set of (unsuccesful) attempts on my site. If there are more than 10 attempts in a row, or attempts over a few days, then I will block that IP. If the IP is located in Taiwan or China, I'll block it right then and there b/c we basically sell no product there.
I'm a bit paranoid about blocking IPs, because I don't want to lose potential sales.
You can always just restrict those IP ranges from ssh access and leave potentially legitimate services (web,mail,etc) open. Obviously if you do some kind of outright blacklist you'll reduce these attempts overall, but consequently you're more likely to block legitimate traffic as well. If that's the route you take, it will really come down to a trade off of whether you can afford to block IP ranges in exchange for security (which is only something you can decide). Honestly, spending your effort hardening your system and maintaining security will be a better payoff than worrying about the best way to implement your blacklist. Then you can just ban the occasional determined repeat offender without much consideration.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.