On 06/03/2007 04:03 AM, Mihai Dobre wrote:
Salut tuturor !
Din neglijenta, am lasat ALL:ALL in wrapper-ele unei masini cu sshd la
interfata publica, de atunci gasesc log-urile pline:
--
May 30 14:45:08 ftp sshd[24665]: Invalid user oracle from 209.51.140.132
May 30 14:45:08 ftp sshd[24665]: Failed password for invalid user oracle from
209.51.140.132 port 53357 ssh2
May 31 22:17:45 ftp sshd[25617]: Failed password for root from 216.227.212.227
port 47863 ssh2
May 31 22:17:45 ftp sshd[25617]: reverse mapping checking getaddrinfo for
dm00030.lunarpages.com failed - POSSIBLE BREAKIN ATTEMPT!
n 2 23:59:52 ftp sshd[2436]: Invalid user irak from 70.87.55.194
Jun 2 23:59:53 ftp sshd[2436]: Failed password for invalid user irak from
70.87.55.194 port 51110 ssh2
Jun 2 23:59:53 ftp sshd[2445]: Invalid user lisabona from 70.87.55.194
Jun 2 23:59:53 ftp sshd[2448]: Invalid user tiasa from 70.87.55.194
Jun 2 23:59:53 ftp sshd[2445]: Failed password for invalid user lisabona from
70.87.55.194 port 51279 ssh2
Jun 2 23:59:53 ftp sshd[2448]: Failed password for invalid user tiasa from
70.87.55.194 port 51283 ssh2
Jun 3 01:11:14 ftp sshd[25292]: Failed password for root from 211.12.244.193
port 35802 ssh2
Jun 3 01:11:18 ftp sshd[25296]: Failed password for root from 211.12.244.193
port 35883 ssh2
Jun 3 01:11:23 ftp sshd[25300]: Failed password for root from 211.12.244.193
port 35965 ssh2
Jun 3 01:11:33 ftp sshd[25304]: Failed password for root from 211.12.244.193
port 36045 ssh2
--
O caciula (mare) de incercari la sshd, unele insistente (30-40 min). Este asta
un trafic de mizerii obisnuit la casa omului intr-o zi normala?
da
Ca daca da,
ma gandesc serios sa dublez tcpd cu DROP chiar daca aduce a paranoia.
Pana la experienta asta, rutina era 5-15 conexiuni respinse pe zi.
sint multe metode de eliminare a zgomotului. incepind cu mutarea sshd pe
alt port, continuind cu restrictionarea accesului (via tcpwrappers
si/sau iptables) numai la IP-urile permise (in masura in care e posbil),
trecind pe la pam_abl si denyhosts si ajungind la port knocking (-->
iptables match recent) si single packet authorization.
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug