Re: Connection closed by [IP] port [port] [preauth]
On Wed, Feb 26, 2020 at 08:49:28AM +0100, Klaus Singvogel wrote: > deloptes wrote: > > +1 :( and I am not using standard port 22, so they scanned all 3 ports > > and found out what is open (well filtered) and now are trying to do brute > > force on SSH. Others are trying to exploit apache/php & Co. > > I'm using portsentry against this: > https://packages.debian.org/buster/portsentry > > Let it sniff on some unused ports, like 445, 69, 8181, 5353, or 22. :-) > > https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers > > But beware to have a whitelisted IP address active. I locked myslef out, > after switching to a different computer, like fresh a installed Linux. :-) "fwknop" is another tool to consider if you don't like getting scanned. Regards, Didar > > Regards, > Klaus. > -- > Klaus Singvogel > GnuPG-Key-ID: 1024R/5068792D 1994-06-27 > -- Basic Definitions of Science: If it's green or wiggles, it's biology. If it stinks, it's chemistry. If it doesn't work, it's physics.
Re: Connection closed by [IP] port [port] [preauth]
deloptes wrote: > +1 :( and I am not using standard port 22, so they scanned all 3 ports > and found out what is open (well filtered) and now are trying to do brute > force on SSH. Others are trying to exploit apache/php & Co. I'm using portsentry against this: https://packages.debian.org/buster/portsentry Let it sniff on some unused ports, like 445, 69, 8181, 5353, or 22. :-) https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers But beware to have a whitelisted IP address active. I locked myslef out, after switching to a different computer, like fresh a installed Linux. :-) Regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: Connection closed by [IP] port [port] [preauth]
Tixy wrote: >> Since February 11th at 00:25:09, I am getting the following every 12 >> secondes: >> >> Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 >> port 54422 [preauth] > > I'm getting that too. +1 :( and I am not using standard port 22, so they scanned all 3 ports and found out what is open (well filtered) and now are trying to do brute force on SSH. Others are trying to exploit apache/php & Co.
Re: Connection closed by [IP] port [port] [preauth]
Le 24-02-2020, à 15:51:53 -0500, Dan Ritter a écrit : steve wrote: Hi there, Since February 11th at 00:25:09, I am getting the following every 12 secondes: Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 port 54422 [preauth] And when I say every 12 seconds, it is really every 12 seconds, and this is now going on for more than 13 days, without any interruption. At the beginning, I thought that this was just standards nmap scans or something similar and so didn't bother taking any action. But now I'm asking myself who (in China) would be so stupid to continue this scanning. What should I do? Send an email to the abuse contact? Ignore it and wait that it's over? It doesn't seem naughty but it's getting irritating. sudo apt install iptables-persistent sudo iptables -A INPUT -s 118.126.105.120 -j DROP sudo netfilter-persistent save Clean logs, thanks :) Funny, right after issuing these commands, new IP started scanning my system. Re-issued the commands and the problem was solved. Thanks a lot. S
Re: Connection closed by [IP] port [port] [preauth]
On Mon, 2020-02-24 at 21:38 +0100, steve wrote: > Hi there, > > Since February 11th at 00:25:09, I am getting the following every 12 > secondes: > > Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 port > 54422 [preauth] I'm getting that too. > And when I say every 12 seconds, it is really every 12 seconds, and this > is now going on for more than 13 days, without any interruption. At the > beginning, I thought that this was just standards nmap scans or > something similar and so didn't bother taking any action. But now I'm > asking myself who (in China) would be so stupid to continue this > scanning. The bot is possibly try to trigger some vulnerability, which we can expect is a known one and fixed in Debian. > What should I do? Send an email to the abuse contact? Ignore it and wait > that it's over? It doesn't seem naughty but it's getting irritating. You've already had the same suggestions I'd give. I run fail2ban on all internet facing systems, which will block IP addresses which are repeatedly trying and failing things like password logins to sshd. Unfortunately, simple connection drops like these aren't covered by the built-in rules. There may be ways of adding custom rules, but I've just taken to manually adding IP addresses to a blacklist with iptables. (To avoid their irritation in the logs rather than fear that the bots will be able to do anything nasty.) -- Tixy
Re: Connection closed by [IP] port [port] [preauth]
On 2/24/2020 9:38 PM, steve wrote: > Hi there, > > Since February 11th at 00:25:09, I am getting the following every 12 > secondes: > > Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 > port 54422 [preauth] > > And when I say every 12 seconds, it is really every 12 seconds, and this > is now going on for more than 13 days, without any interruption. At the > beginning, I thought that this was just standards nmap scans or > something similar and so didn't bother taking any action. But now I'm > asking myself who (in China) would be so stupid to continue this > scanning. > > What should I do? Send an email to the abuse contact? Ignore it and wait > that it's over? It doesn't seem naughty but it's getting irritating. > Find a way to block/ban this address, fail2ban, firewall and to some extend sshd_config. -- John Doe
Re: Connection closed by [IP] port [port] [preauth]
steve wrote: > Hi there, > > Since February 11th at 00:25:09, I am getting the following every 12 > secondes: > > Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 port > 54422 [preauth] > > And when I say every 12 seconds, it is really every 12 seconds, and this > is now going on for more than 13 days, without any interruption. At the > beginning, I thought that this was just standards nmap scans or > something similar and so didn't bother taking any action. But now I'm > asking myself who (in China) would be so stupid to continue this > scanning. > > What should I do? Send an email to the abuse contact? Ignore it and wait > that it's over? It doesn't seem naughty but it's getting irritating. sudo apt install iptables-persistent sudo iptables -A INPUT -s 118.126.105.120 -j DROP sudo netfilter-persistent save If you want rules inserted automatically and removed after a time, install fail2ban. -dsr-
Connection closed by [IP] port [port] [preauth]
Hi there, Since February 11th at 00:25:09, I am getting the following every 12 secondes: Feb 11 00:25:09 box sshd[17733]: Connection closed by 118.126.105.120 port 54422 [preauth] And when I say every 12 seconds, it is really every 12 seconds, and this is now going on for more than 13 days, without any interruption. At the beginning, I thought that this was just standards nmap scans or something similar and so didn't bother taking any action. But now I'm asking myself who (in China) would be so stupid to continue this scanning. What should I do? Send an email to the abuse contact? Ignore it and wait that it's over? It doesn't seem naughty but it's getting irritating. Thanks S
