On Tue, Jul 31, 2001 at 04:14:03PM +0800, Edwin Casimero wrote:
> > Active System Attack Alerts
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from host:
>ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port: 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host 154.5.110.252 has been
>blocked via wrappers with string: "ALL: 154.5.110.252"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host 154.5.110.252 has been
>blocked via dropped route using command: "/sbin/route add -host 154.5.110.252 gw
>127.0.0.1"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from host:
>ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port: 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host: 154.5.110.252 is
>already blocked. Ignoring
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from host:
>ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port: 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host: 154.5.110.252 is
>already blocked. Ignoring
> >
Port 1080 is usually the SOCKS proxy port. It's frequently used by
script kiddies to hide their identities, because if they could use the
proxy server to make connections elsewhere, the attacked site will
record the hijacked proxy's IP and not the true IP. Which is why they
are so interested in this.
According to ARIN, 154.5.110.252 is a dialup IP from PSInet Canada
(ip252.kitchener3.dialup.canada.psi.net).
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Jul 30 18:46:03 fil-web PAM_pwdb[23437]: authentication failure; (uid=0) -> root
>for sshd service
> > Jul 30 18:46:03 fil-web sshd[23437]: Failed password for ROOT from 202.57.120.151
>port 1430
> > Jul 30 21:49:50 fil-web PAM_pwdb[24274]: authentication failure; (uid=0) ->
>fil-org for sshd service
> > Jul 30 21:49:50 fil-web sshd[24274]: Failed password for fil-org from
>202.57.120.151 port 1040 ssh2
> > Jul 30 21:49:52 fil-web sshd[24274]: Disconnecting: Too many authentication
>failures for fil-org
> > Jul 30 21:49:52 fil-web PAM_pwdb[24274]: 6 more authentication failures; (uid=0)
>-> fil-org for sshd service
202.57.120.151 apparently is a PLDT ADSL IP, according to APNIC
(adsl1-151.info.com.ph). Someone is trying to crack your system from
there by guessing passwords, looks like.
I hope you've configured sshd not to accept remote root logins. The
SOB might just get lucky.
The rest of your post does not seem to contain any new information,
just repeats of the above.
By the way, I think you ought to configure PortSentry to create
firewall rules to block offenders. The way you're configured all it
does is drop routes and add tcpwrappers hosts.deny. These are by no
means as effective as creating a firewall rule that will drop all
packets coming from that source. Anyway, no good administrator should
connect any machine with a static IP to the Internet without any kind
of firewalling capability...
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311
Programmer, InterdotNet Philippines +63(917) 4458925
http://dido.engr.internet.org.ph/ OpenPGP Key ID: 0x5CDA17D8
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GAT d- s:- a- C++++ UL+++ P+++ L+++ E++ W++ N+ o K- w---
O- M-- V- PS+ PE Y+ PGP++ t+ 5 X+ R tv+ b+++ DI++ D+
G e++ h! r++ y+
------END GEEK CODE BLOCK------
PGP signature
