This guys been trying to get into my system for days now.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This guys been trying to get into my system for days now.
This a-hole over at 194.112.145.52 has been trying every combination for what looks like 3 weeks now to try and break into my system. Of course I'm secure, and ever if they did get in, they'd only have access to my tv recordings (media center).
UPDATE: Seems as though 193.242.108.41 is doing it at the same time too
Last edited by MikeOfAustin; 09-05-2007 at 11:55 PM.
I suppose you have log entries that someone tries to log in via SSH. If you change the port from default 22 to 222 this will most certainly stop. Mostly these attacks are from script kiddies...
I don't think it's wise to post here (or anywhere for that matter) the IP addresses of other people, at least if they're not having a public server or anything. It could be dynamic IP, you never know, and change tomorrow or next month or next year, but still. Try to honor the privacy of others, in all cases.
Quote:
Originally Posted by MikeOfAustin
Of course I'm secure, ---
Of course you are, of course we all are. Why are some people still getting trough, and why is that machine still 'seeing' you're there, why can it still continue if you're secure? If that really was (is) an "attack", being secure is not letting it continue. Changing port numbers for example is one thing to stop it, at least for a moment (until a portscan is made, for example).
I don't recommend blocking IP address, unless it's temporary and will be removed later. It's not nice since you don't really know how serious this is, or if it is, if the address is static or dynamic, or actually anything else than one (or two or few) IP address that is connecting to you all the time. There are better ways to deal with it. Like setting a timer which grows at each failed login, so that after a few failed login attempts the time between the tries (before your services let that machine try again) grows so big it's of no use anymore. This could be reset after a few days for example, so it's not permanent (in case of dynamic IP for example). Or changing port numbers from default to something else. Do you even need services that allow external connections, from outside your LAN for example? If not, disable the services (or restrict to only those machines that you actually need, dropping any other connection tries).
Reading a (good) book about security wouldn't be bad. Security is not just having a massive firewall or blocking this and that.
and ever if they did get in, they'd only have access to my tv recordings (media center).
I wish people would start understanding that crackers largely don't give a flying fig about what is on the computer, they want to zombie it and use it in their botnet.
Which may be exactly what happened to the computers on the two IP addresses you're seeing......
You will never be able to keep up with filtering out random break in attempts from different IP's. It's just too much. Keep doing what you're doing.
fail2ban really helps with this. I use it on my Debian web/ftp/vpn/... server and it is a very powerful program. Basically, you set the number of login attempts you want to allow made, and after that number their ip address goes into iptables as -j DROP for the length of time you set. I have mine setup to allow 3 attempts and after that drop their packets for an hour. It is very easy to setup as it comes pre enabled for ssh and apache along with some others.
Quote:
Originally Posted by b0uncer
...and why is that machine still 'seeing' you're there...
This is a very, very wise comment. Even if your box is locked down tight, the traffic from attempts can cause problems as well. My recommendation would be to scan your server with a web based port scanner or a computer on another network so you can see what they see.
Here is a list, although it is missing my favorite to which I can't remember the URL.
I don't think it's wise to post here (or anywhere for that matter) the IP addresses of other people, at least if they're not having a public server or anything. It could be dynamic IP, you never know, and change tomorrow or next month or next year, but still. Try to honor the privacy of others, in all cases.
I totally agree.
Quote:
Of course you are, of course we all are. Why are some people still getting trough, and why is that machine still 'seeing' you're there, why can it still continue if you're secure? If that really was (is) an "attack", being secure is not letting it continue. Changing port numbers for example is one thing to stop it, at least for a moment (until a portscan is made, for example).
This is security by obscurity and is not the best practice. All it does is help lessen the amount of logs that are generated. A determined attacker will pick up on this immediately, finding the non-standard port that the service is running on and commencing to exploit it.
Quote:
I don't recommend blocking IP address, unless it's temporary and will be removed later. It's not nice since you don't really know how serious this is, or if it is, if the address is static or dynamic, or actually anything else than one (or two or few) IP address that is connecting to you all the time. There are better ways to deal with it. Like setting a timer which grows at each failed login, so that after a few failed login attempts the time between the tries (before your services let that machine try again) grows so big it's of no use anymore. This could be reset after a few days for example, so it's not permanent (in case of dynamic IP for example). Or changing port numbers from default to something else. Do you even need services that allow external connections, from outside your LAN for example? If not, disable the services (or restrict to only those machines that you actually need, dropping any other connection tries).
There is nothing wrong with blocking an IP that is behind a home router/firewall, especially if the intention is to not serve public content. To leave an avenue of approach open even though you don't understand the perceived attack is to fail before the cracking has barely begun. There should be no reason to leave a service open to the wild when you've no reason to have that service available to the public.
Quote:
Reading a (good) book about security wouldn't be bad. Security is not just having a massive firewall or blocking this and that.
Firewalls help, and is acceptable for a home environment in most cases. For the security-minded, it isn't quite as acceptable, but most mom and pops and neophytes that are new to the networking world (including people who just want to check their e-mail and peruse the Web) have no understanding of involved attacks. A firewall is fine for those people, provided, they know how to set up a SOHO-type (read simple) firewall.
My advice: block the IP and be done with the paranoia.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.