This a-hole over at 194.112.145.52 has been trying every combination for what looks like 3 weeks now to try and break into my system. Of course I'm secure, and ever if they did get in, they'd only have access to my tv recordings (media center).

UPDATE: Seems as though 193.242.108.41 is doing it at the same time too

Probably one of your neighbors has a laptop, and Windows doesn't know any better than to continuously try connecting to your wireless router

Accessing what? SSH? Telnet? NFS? Samba? VDR-Admin?

I suppose you have log entries that someone tries to log in via SSH. If you change the port from default 22 to 222 this will most certainly stop. Mostly these attacks are from script kiddies...

you can add the IP addresses to /etc/hosts.deny
also if its SSH based look at denyhosts or fail2ban
If its a port scan you could try portsentry.

I don't think it's wise to post here (or anywhere for that matter) the IP addresses of other people, at least if they're not having a public server or anything. It could be dynamic IP, you never know, and change tomorrow or next month or next year, but still. Try to honor the privacy of others, in all cases.

Of course you are, of course we all are. Why are some people still getting trough, and why is that machine still 'seeing' you're there, why can it still continue if you're secure? If that really was (is) an "attack", being secure is not letting it continue. Changing port numbers for example is one thing to stop it, at least for a moment (until a portscan is made, for example).

I don't recommend blocking IP address, unless it's temporary and will be removed later. It's not nice since you don't really know how serious this is, or if it is, if the address is static or dynamic, or actually anything else than one (or two or few) IP address that is connecting to you all the time. There are better ways to deal with it. Like setting a timer which grows at each failed login, so that after a few failed login attempts the time between the tries (before your services let that machine try again) grows so big it's of no use anymore. This could be reset after a few days for example, so it's not permanent (in case of dynamic IP for example). Or changing port numbers from default to something else. Do you even need services that allow external connections, from outside your LAN for example? If not, disable the services (or restrict to only those machines that you actually need, dropping any other connection tries).

Reading a (good) book about security wouldn't be bad. Security is not just having a massive firewall or blocking this and that.

If you are actually seeing attempts....then you are doing well. Your Basic Security/Logging seems to be working.

Sounds like you may have your default firewall rules to drop everything except for folks/IP's you want in.

You will never be able to keep up with filtering out random break in attempts from different IP's. It's just too much. Keep doing what you're doing.

I wish people would start understanding that crackers largely don't give a flying fig about what is on the computer, they want to zombie it and use it in their botnet.

Which may be exactly what happened to the computers on the two IP addresses you're seeing......

Moved: This thread is more suitable in Linux Security and has been moved accordingly to help your thread/question get the exposure it deserves.

fail2ban really helps with this. I use it on my Debian web/ftp/vpn/... server and it is a very powerful program. Basically, you set the number of login attempts you want to allow made, and after that number their ip address goes into iptables as -j DROP for the length of time you set. I have mine setup to allow 3 attempts and after that drop their packets for an hour. It is very easy to setup as it comes pre enabled for ssh and apache along with some others.

This is a very, very wise comment. Even if your box is locked down tight, the traffic from attempts can cause problems as well. My recommendation would be to scan your server with a web based port scanner or a computer on another network so you can see what they see.

Here is a list, although it is missing my favorite to which I can't remember the URL.

http://www.linux-sec.net/Audit/nmap....wif.html#Other

nomb

***EDIT***

I remembered the URL:
ShieldsUP!

I totally agree.


This is security by obscurity and is not the best practice. All it does is help lessen the amount of logs that are generated. A determined attacker will pick up on this immediately, finding the non-standard port that the service is running on and commencing to exploit it.

There is nothing wrong with blocking an IP that is behind a home router/firewall, especially if the intention is to not serve public content. To leave an avenue of approach open even though you don't understand the perceived attack is to fail before the cracking has barely begun. There should be no reason to leave a service open to the wild when you've no reason to have that service available to the public.

Firewalls help, and is acceptable for a home environment in most cases. For the security-minded, it isn't quite as acceptable, but most mom and pops and neophytes that are new to the networking world (including people who just want to check their e-mail and peruse the Web) have no understanding of involved attacks. A firewall is fine for those people, provided, they know how to set up a SOHO-type (read simple) firewall.

My advice: block the IP and be done with the paranoia.

I agree...a default policy of deny works wonders!

Another good one (it doesn't do full-on scans, but is a good tool):

http://clez.net/

I got excited because that hash generator has quite a bit of hashes. I was hoping it would help me determine what kind of hash this is:

a3ab5pjkev4de

But unfortunately it didn't...

Any ideas?

Nice Site btw.

nomb

Thanks everyone, and for the comments.

It was just a 'script kiddy' like someone mentioned. Gone now.

I've never had anyone try that to me before. It made me want to track the guy down and knock on his door (ask his parents permission first though).

Ya, we have all gone through that. Don't stress over it, it is a waste of time.