Re: Illegal access attempt - FreeBSD 5.4 Release - please advise

Wed, 24 Aug 2005 06:27:23 -0700

i usually run a swatch script to monitor ssh login attempts and deny them via ipfw - most of them are addresses from people running linux trying to bruteforce there way in - the list can get pretty long.
also whats most funny is that alot of those people try windows server exploits on me.... damn script kiddies.... 

-Ben
Pat Maddox wrote:


It's not that big of a deal...they didn't get in or anything.  If
you've got a server that's always connected to the internet, you'll
see people trying to break in all the time.  The more popular your
server, the more frequent the attempts.  This is just someone trying
to log in via SSH - so as long as you have good passwords on all your
accounts, and disable remote root login, you're fine.

You may consider denying access after X failed login attempts.


On 8/23/05, ro ro <[EMAIL PROTECTED]> wrote:

 


Hi All,

I was browsing through my log files and noticed that
someone (or many people) is trying to gain illegal
access to my server (see snippet from log files
below).

The below log file clearly indicates someone trying to
hackaway at my personal server.

I performed the following steps:

nmap -v  210.0.142.153

and noticed that this person/institution had port 80
and 21 open.

I visited their website and it appears to be someone
from hongkong.
http://www.chkpcc.edu.hk/

HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON
THEIR WEBSITE
-------------------------------------------------------------
Confucian Ho Kwok Pui Chun College ? ?
? ? ? ? ? ?
? ?
Address ??: Fu Shin Est., Taipo,
N.T., HKSAR
?????????
Tel ??: 852-2666-5926
Fax ??: 852-2660-7988
E-mail ??: [EMAIL PROTECTED]
-------------------------------------------------------------


When I saw the logs for the first time. I took the
following steps:
1) AllowUsers in sshd contained only users that I
wanted to have access to my ssh
2) Created a decent rulest within ipfw that permitted
incoming access to only two ports ssh and http

I took the issue of creating a good firewall quite
lightly and now I regret that decision.. now I have
learnt... Can someone provide me with guidance on this
issue and advise me on next steps to take action
against such losers.

Thanks
RV

Aug 23 08:19:03 free sshd[22519]: Illegal user lp from
210.0.142.153
Aug 23 08:19:06 free sshd[22521]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:08 free sshd[22523]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:10 free sshd[22525]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:12 free sshd[22527]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:15 free sshd[22529]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:17 free sshd[22531]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:19 free sshd[22533]: Illegal user admin
from 210.0.142.153
Aug 23 08:19:22 free sshd[22535]: User root not
allowed because not listed in AllowUsers
Aug 23 08:19:24 free sshd[22537]: User root not
allowed because not listed in AllowUsers
Aug 23 08:19:27 free sshd[22539]: User root not
allowed because not listed in AllowUsers
Aug 23 08:19:29 free sshd[22541]: User root not
allowed because not listed in AllowUsers
Aug 23 08:19:33 free sshd[22543]: User root not
allowed because not listed in AllowUsers
Aug 23 08:19:35 free sshd[22545]: User root not
allowed because not listed in AllowUsers
Aug 23 08:19:37 free sshd[22547]: Illegal user apache
from 210.0.142.153
Aug 23 08:19:40 free sshd[22549]: Illegal user dan
from 210.0.142.153
Aug 23 08:19:42 free sshd[22551]: Illegal user electra
from 210.0.142.153
Aug 23 08:19:44 free sshd[22553]: Illegal user student
from 210.0.142.153
Aug 23 08:19:47 free sshd[22555]: Illegal user school
from 210.0.142.153
Aug 23 08:19:49 free sshd[22557]: User mysql not
allowed because not listed in AllowUsers


Aug 11 20:16:10 free sshd[21585]: Illegal user test
from 210.245.197.16
Aug 11 20:16:12 free sshd[21587]: Illegal user guest
from 210.245.197.16
Aug 11 20:16:14 free sshd[21589]: Illegal user admin
from 210.245.197.16
Aug 11 20:16:16 free sshd[21591]: Illegal user admin
from 210.245.197.16
Aug 11 20:16:23 free sshd[21593]: Illegal user user
from 210.245.197.16
Aug 11 20:16:32 free sshd[21601]: Illegal user test
from 210.245.197.16

Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from
61.145.222.10
Aug 14 03:39:26 free sshd[32379]: Illegal user a from
61.145.222.10
Aug 14 03:39:31 free sshd[32381]: Illegal user a from
61.145.222.10
Aug 14 03:39:38 free sshd[32383]: Illegal user abuse
from 61.145.222.10
Aug 14 10:47:49 free sshd[33623]: Illegal user admin
from 64.222.146.197
Aug 14 10:47:51 free sshd[33625]: Illegal user
administrator from 64.222.146.197
Aug 14 10:47:52 free sshd[33627]: Illegal user jack
from 64.222.146.197
Aug 14 10:47:53 free sshd[33629]: Illegal user marvin
from 64.222.146.197
Aug 14 10:47:58 free sshd[33631]: Illegal user andres
from 64.222.146.197
Aug 14 10:47:59 free sshd[33633]: Illegal user barbara
from 64.222.146.197
Aug 14 10:48:01 free sshd[33635]: Illegal user adine
from 64.222.146.197
Aug 14 10:48:02 free sshd[33637]: Illegal user test
from 64.222.146.197
Aug 14 10:48:04 free sshd[33639]: Illegal user guest
from 64.222.146.197
Aug 14 10:48:07 free sshd[33641]: Illegal user db from
64.222.146.197

Aug 23 08:18:40 free sshd[22499]: Illegal user demo
from 210.0.142.153
Aug 23 08:18:43 free sshd[22501]: Illegal user
postgres from 210.0.142.153
Aug 23 08:18:45 free sshd[22503]: Illegal user
postmaster from 210.0.142.153
Aug 23 08:18:47 free sshd[22505]: Illegal user
postgres from 210.0.142.153
Aug 23 08:18:49 free sshd[22507]: Illegal user
postgres from 210.0.142.153
Aug 23 08:18:52 free sshd[22509]: Illegal user ftp
from 210.0.142.153
Aug 23 08:18:54 free sshd[22511]: User news not
allowed because not listed in AllowUsers
Aug 23 08:18:56 free sshd[22513]: Illegal user demo
from 210.0.142.153
Aug 23 08:18:58 free sshd[22515]: Illegal user
demouser from 210.0.142.153
Aug 23 08:19:01 free sshd[22517]: User sshd not
allowed because not listed in AllowUsers








__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


   


------------------------------------------------------------------------

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to