Re: [rlug] sshd - possible breakin attempt

Sat, 02 Jun 2007 18:54:25 -0700 

On 06/03/2007 04:03 AM, Mihai Dobre wrote:

Salut tuturor !
Din neglijenta, am lasat ALL:ALL in wrapper-ele unei masini cu sshd la interfata publica, de atunci gasesc log-urile pline: 
--
May 30 14:45:08 ftp sshd[24665]: Invalid user oracle from 209.51.140.132
May 30 14:45:08 ftp sshd[24665]: Failed password for invalid user oracle from 209.51.140.132 port 53357 ssh2 May 31 22:17:45 ftp sshd[25617]: Failed password for root from 216.227.212.227 port 47863 ssh2 May 31 22:17:45 ftp sshd[25617]: reverse mapping checking getaddrinfo for dm00030.lunarpages.com failed - POSSIBLE BREAKIN ATTEMPT! 
n  2 23:59:52 ftp sshd[2436]: Invalid user irak from 70.87.55.194
Jun 2 23:59:53 ftp sshd[2436]: Failed password for invalid user irak from 70.87.55.194 port 51110 ssh2 
Jun  2 23:59:53 ftp sshd[2445]: Invalid user lisabona from 70.87.55.194
Jun  2 23:59:53 ftp sshd[2448]: Invalid user tiasa from 70.87.55.194
Jun 2 23:59:53 ftp sshd[2445]: Failed password for invalid user lisabona from 70.87.55.194 port 51279 ssh2 Jun 2 23:59:53 ftp sshd[2448]: Failed password for invalid user tiasa from 70.87.55.194 port 51283 ssh2 Jun 3 01:11:14 ftp sshd[25292]: Failed password for root from 211.12.244.193 port 35802 ssh2 Jun 3 01:11:18 ftp sshd[25296]: Failed password for root from 211.12.244.193 port 35883 ssh2 Jun 3 01:11:23 ftp sshd[25300]: Failed password for root from 211.12.244.193 port 35965 ssh2 Jun 3 01:11:33 ftp sshd[25304]: Failed password for root from 211.12.244.193 port 36045 ssh2 
--
O caciula (mare) de incercari la sshd, unele insistente (30-40 min). Este asta un trafic de mizerii obisnuit la casa omului intr-o zi normala? 
da
Ca daca da, ma gandesc serios sa dublez tcpd cu DROP chiar daca aduce a paranoia. Pana la experienta asta, rutina era 5-15 conexiuni respinse pe zi.
sint multe metode de eliminare a zgomotului. incepind cu mutarea sshd pe alt port, continuind cu restrictionarea accesului (via tcpwrappers si/sau iptables) numai la IP-urile permise (in masura in care e posbil), trecind pe la pam_abl si denyhosts si ajungind la port knocking (--> iptables match recent) si single packet authorization. 



_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug

Raspunde prin e-mail lui