Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
I'm seeing those as well. The connection attempts are harmless, but annoying, since they fill up the logs. I decided to solve the problem by restricting the IP range that can access my sshd to the class-A blocks that are most commonly used in my country. Maybe it's not a truly elegant solution, but it's simple, and it works. Cheers Benjamin signature.asc Description: OpenPGP digital signature
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On Saturday 27 August 2005 07:29 pm, [EMAIL PROTECTED] wrote: I'm curious about this bit - what do you do about accidentally mistyped usernames by valid users? Have users do this: $ cat .ssh/config Host paranoidhost Hostname paranoid.example.com User getthisright ...and the problem is solved. Do people actually type their username for a particular host more than once? -- Kirk Strauser pgpQBKHH689kq.pgp Description: PGP signature
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
I also get a large amount of atttacks via ssh, i decided that the people who have access to my server (only 12) know what their usernames are. my decision was to set up a swatch script to monitor the types of errors that are picked up in the logs: -if the attempt was with a username that doesnt exist - i add the ip to a db of banned ips and flush and restart ipfw -if it is from a username that does exist - i give the person 5 tries, if by the 5th try they cant get in, i add the ip to the db as stated above. it sounds pretty harsh, but it definetely stops those idiots. ive got a large list of ips, and from nmapping them most are from people running entry level linux distros with many holes in their security setup. i could get revenge, but not worth it. if anyone is curious about the script let me know, Ben Maarten Sanders wrote: On Thu, 2005-08-25 at 07:22 -0400, Lee Capps wrote: On 11:18 Wed 24 Aug , Chris St Denis wrote: How can I easily auto deny after x failed attempts? Is this an sshd setting? I could find it. Is there something in ports that will firewall off somebody who is brute forcing? In addition to adding entries to /etc/hosts.allow you could try DenyHosts: http://denyhosts.sourceforge.net/ I didn't find a port, but it works with FreeBSD and isn't too onerous to install. HTH, Lee ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Nice suggestion, but how do I enable tcp_wrappers with sshd? See : http://denyhosts.sourceforge.net/ssh_config.html I tried adding sshd: 127.0.0.1 : deny to /etc/hosts.allow but I failed the described test. Maarten ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
-if the attempt was with a username that doesnt exist - i add the ip to a db of banned ips and flush and restart ipfw I'm curious about this bit - what do you do about accidentally mistyped usernames by valid users? cheers, -- Joel Hatton -- Security Analyst| Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland| WWW: www.auscert.org.au Qld 4072 Australia | Email: [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
if this server was used by 100+ people i would of course not have such a harsh security script set up. everyone who uses it has great experience and understands the consequences. like i said before, this is usually for personal use and has about 12 users total. if this was used to manage ssh on something big i would lower the security measures. hope you can understand some now :) Ben [EMAIL PROTECTED] wrote: -if the attempt was with a username that doesnt exist - i add the ip to a db of banned ips and flush and restart ipfw I'm curious about this bit - what do you do about accidentally mistyped usernames by valid users? cheers, -- Joel Hatton -- Security Analyst| Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland| WWW: www.auscert.org.au Qld 4072 Australia | Email: [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
if this server was used by 100+ people i would of course not have such a harsh security script set up. everyone who uses it has great experience and understands the consequences. like i said before, this is usually for personal use and has about 12 users total. if this was used to manage ssh on something big i would lower the security measures. hope you can understand some now :) Certainly. However, given that you are willing to accept (risk?) 5 attempts at a legitimate account I don't believe there would be any greater risk in allowing the same for invalid accounts also, given that the likelihood of gaining access to those is actually less - and it would make your script simpler, too, whilst preventing the (albeit, unlikely in your situation) possibility of a DoS to a valid user. To be honest, reversing your logic somewhat wrt valid/invalid accounts and 1/5 attempts could have merit also. That said, I'd be interested in seeing how you implement this with swatch as I'm looking at log parsing solutions in general. best regards, -- Joel Hatton -- Security Analyst| Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland| WWW: www.auscert.org.au Qld 4072 Australia | Email: [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On 8/27/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: if this server was used by 100+ people i would of course not have such a harsh security script set up. everyone who uses it has great experience and understands the consequences. like i said before, this is usually for personal use and has about 12 users total. if this was used to manage ssh on something big i would lower the security measures. hope you can understand some now :) Certainly. However, given that you are willing to accept (risk?) 5 attempts at a legitimate account I don't believe there would be any greater risk in allowing the same for invalid accounts also, given that the likelihood of gaining access to those is actually less - and it would make your script simpler, too, whilst preventing the (albeit, unlikely in your situation) possibility of a DoS to a valid user. To be honest, reversing your logic somewhat wrt valid/invalid accounts and 1/5 attempts could have merit also. That said, I'd be interested in seeing how you implement this with swatch as I'm looking at log parsing solutions in general. I'd like to see it too, my logs are filled with brute force ssh login attempts. I'd like something like... x attempts in y time blocks source IP (or class c block etc.) for z hours. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
I got annoyed with all the illegal ssh login attempts, so I now use this little program in crontab: http://www.ankeborg.nu/~sjk/ssh.c (don't use it if you don't understand it.) On 8/24/05, Chris St Denis [EMAIL PROTECTED] wrote: How can I easily auto deny after x failed attempts? Is this an sshd setting? I could find it. Is there something in ports that will firewall off somebody who is brute forcing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pat Maddox Sent: Tuesday, August 23, 2005 9:27 PM To: FreeBSD Questions Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise It's not that big of a deal...they didn't get in or anything. If you've got a server that's always connected to the internet, you'll see people trying to break in all the time. The more popular your server, the more frequent the attempts. This is just someone trying to log in via SSH - so as long as you have good passwords on all your accounts, and disable remote root login, you're fine. You may consider denying access after X failed login attempts. On 8/23/05, ro ro [EMAIL PROTECTED] wrote: Hi All, I was browsing through my log files and noticed that someone (or many people) is trying to gain illegal access to my server (see snippet from log files below). The below log file clearly indicates someone trying to hackaway at my personal server. I performed the following steps: nmap -v 210.0.142.153 http://210.0.142.153 and noticed that this person/institution had port 80 and 21 open. I visited their website and it appears to be someone from hongkong. http://www.chkpcc.edu.hk/ HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON THEIR WEBSITE - Confucian Ho Kwok Pui Chun College 孔 教 學 院 何 郭 佩 珍 中 學 Address 地址: Fu Shin Est., Taipo, N.T., HKSAR 香港新界大埔富善村 Tel 電話: 852-2666-5926 Fax 傳真: 852-2660-7988 E-mail 電郵: [EMAIL PROTECTED] - When I saw the logs for the first time. I took the following steps: 1) AllowUsers in sshd contained only users that I wanted to have access to my ssh 2) Created a decent rulest within ipfw that permitted incoming access to only two ports ssh and http I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. Thanks RV Aug 23 08:19:03 free sshd[22519]: Illegal user lp from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:06 free sshd[22521]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:08 free sshd[22523]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:10 free sshd[22525]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:12 free sshd[22527]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:15 free sshd[22529]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:17 free sshd[22531]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:19 free sshd[22533]: Illegal user admin from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:22 free sshd[22535]: User root not allowed because not listed in AllowUsers Aug 23 08:19:24 free sshd[22537]: User root not allowed because not listed in AllowUsers Aug 23 08:19:27 free sshd[22539]: User root not allowed because not listed in AllowUsers Aug 23 08:19:29 free sshd[22541]: User root not allowed because not listed in AllowUsers Aug 23 08:19:33 free sshd[22543]: User root not allowed because not listed in AllowUsers Aug 23 08:19:35 free sshd[22545]: User root not allowed because not listed in AllowUsers Aug 23 08:19:37 free sshd[22547]: Illegal user apache from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:40 free sshd[22549]: Illegal user dan from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:42 free sshd[22551]: Illegal user electra from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:44 free sshd[22553]: Illegal user student from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:47 free sshd[22555]: Illegal user school from 210.0.142.153 http://210.0.142.153 Aug 23 08:19:49 free sshd[22557]: User mysql not allowed because not listed in AllowUsers Aug 11 20:16:10 free sshd[21585]: Illegal user test from 210.245.197.16 http://210.245.197.16 Aug 11 20:16:12 free sshd[21587]: Illegal user guest from 210.245.197.16 http://210.245.197.16 Aug 11 20:16:14 free sshd[21589]: Illegal user admin from 210.245.197.16 http://210.245.197.16 Aug 11 20:16:16 free sshd[21591]: Illegal user admin from 210.245.197.16 http://210.245.197.16 Aug 11 20:16:23 free sshd[21593]: Illegal user user
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On 11:18 Wed 24 Aug , Chris St Denis wrote: How can I easily auto deny after x failed attempts? Is this an sshd setting? I could find it. Is there something in ports that will firewall off somebody who is brute forcing? In addition to adding entries to /etc/hosts.allow you could try DenyHosts: http://denyhosts.sourceforge.net/ I didn't find a port, but it works with FreeBSD and isn't too onerous to install. HTH, Lee ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
Chris St Denis [EMAIL PROTECTED] writes: How can I easily auto deny after x failed attempts? Is this an sshd setting? I could find it. Is there something in ports that will firewall off somebody who is brute forcing? With PF, it's fairly easy to set up with max-src-conn, max-src-conn-rate overload tableofbadbuys in your pass rule. See pf.conf(5) for details. There's probably some magic around to make this doable with other firewalls as well. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On Thu, 2005-08-25 at 07:22 -0400, Lee Capps wrote: On 11:18 Wed 24 Aug , Chris St Denis wrote: How can I easily auto deny after x failed attempts? Is this an sshd setting? I could find it. Is there something in ports that will firewall off somebody who is brute forcing? In addition to adding entries to /etc/hosts.allow you could try DenyHosts: http://denyhosts.sourceforge.net/ I didn't find a port, but it works with FreeBSD and isn't too onerous to install. HTH, Lee ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Nice suggestion, but how do I enable tcp_wrappers with sshd? See : http://denyhosts.sourceforge.net/ssh_config.html I tried adding sshd: 127.0.0.1 : deny to /etc/hosts.allow but I failed the described test. Maarten ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On Fri, 26 Aug 2005 00:24:48 +0200 Maarten Sanders [EMAIL PROTECTED] wrote: Nice suggestion, but how do I enable tcp_wrappers with sshd? from http://lists.freebsd.org/pipermail/freebsd-security/2004-September/002351.html in /usr/src/crypto/openssh/config.h find the line : /* Define if you want TCP Wrappers support */ enable it, rebuild etc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On Fri, 26 Aug 2005 00:24:48 +0200 Maarten Sanders [EMAIL PROTECTED] wrote: Nice suggestion, but how do I enable tcp_wrappers with sshd? from http://lists.freebsd.org/pipermail/freebsd-security/2004-September/002351.htm l in /usr/src/crypto/openssh/config.h find the line : /* Define if you want TCP Wrappers support */ enable it, rebuild etc. This is the default, so no need to rebuild - you just have to tighten up your /etc/hosts.allow. Instead of the default: ALL : ALL : allow try (eg if you have a host 192.168.1.1): sshd : 192.168.1.1 : allow ALL : ALL : deny joel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On 8/24/05, ro ro [EMAIL PROTECTED] wrote: Hi All, I was browsing through my log files and noticed that someone (or many people) is trying to gain illegal access to my server (see snippet from log files below). The below log file clearly indicates someone trying to hackaway at my personal server. I performed the following steps: nmap -v 210.0.142.153 and noticed that this person/institution had port 80 and 21 open. I visited their website and it appears to be someone from hongkong. http://www.chkpcc.edu.hk/ HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON THEIR WEBSITE - Confucian Ho Kwok Pui Chun College 孔 教 學 院 何 郭 佩 珍 中 學 Address 地址: Fu Shin Est., Taipo, N.T., HKSAR 香港新界大埔富善村 Tel 電話: 852-2666-5926 Fax 傳真: 852-2660-7988 E-mail 電郵: [EMAIL PROTECTED] - When I saw the logs for the first time. I took the following steps: 1) AllowUsers in sshd contained only users that I wanted to have access to my ssh 2) Created a decent rulest within ipfw that permitted incoming access to only two ports ssh and http I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. Thanks RV Aug 23 08:19:03 free sshd[22519]: Illegal user lp from 210.0.142.153 Aug 23 08:19:06 free sshd[22521]: Illegal user admin from 210.0.142.153 Aug 23 08:19:08 free sshd[22523]: Illegal user admin from 210.0.142.153 Aug 23 08:19:10 free sshd[22525]: Illegal user admin from 210.0.142.153 Aug 23 08:19:12 free sshd[22527]: Illegal user admin from 210.0.142.153 Aug 23 08:19:15 free sshd[22529]: Illegal user admin from 210.0.142.153 Aug 23 08:19:17 free sshd[22531]: Illegal user admin from 210.0.142.153 Aug 23 08:19:19 free sshd[22533]: Illegal user admin from 210.0.142.153 Aug 23 08:19:22 free sshd[22535]: User root not allowed because not listed in AllowUsers Aug 23 08:19:24 free sshd[22537]: User root not allowed because not listed in AllowUsers Aug 23 08:19:27 free sshd[22539]: User root not allowed because not listed in AllowUsers Aug 23 08:19:29 free sshd[22541]: User root not allowed because not listed in AllowUsers Aug 23 08:19:33 free sshd[22543]: User root not allowed because not listed in AllowUsers Aug 23 08:19:35 free sshd[22545]: User root not allowed because not listed in AllowUsers Aug 23 08:19:37 free sshd[22547]: Illegal user apache from 210.0.142.153 Aug 23 08:19:40 free sshd[22549]: Illegal user dan from 210.0.142.153 Aug 23 08:19:42 free sshd[22551]: Illegal user electra from 210.0.142.153 Aug 23 08:19:44 free sshd[22553]: Illegal user student from 210.0.142.153 Aug 23 08:19:47 free sshd[22555]: Illegal user school from 210.0.142.153 Aug 23 08:19:49 free sshd[22557]: User mysql not allowed because not listed in AllowUsers Aug 11 20:16:10 free sshd[21585]: Illegal user test from 210.245.197.16 Aug 11 20:16:12 free sshd[21587]: Illegal user guest from 210.245.197.16 Aug 11 20:16:14 free sshd[21589]: Illegal user admin from 210.245.197.16 Aug 11 20:16:16 free sshd[21591]: Illegal user admin from 210.245.197.16 Aug 11 20:16:23 free sshd[21593]: Illegal user user from 210.245.197.16 Aug 11 20:16:32 free sshd[21601]: Illegal user test from 210.245.197.16 Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from 61.145.222.10 Aug 14 03:39:26 free sshd[32379]: Illegal user a from 61.145.222.10 Aug 14 03:39:31 free sshd[32381]: Illegal user a from 61.145.222.10 Aug 14 03:39:38 free sshd[32383]: Illegal user abuse from 61.145.222.10 Aug 14 10:47:49 free sshd[33623]: Illegal user admin from 64.222.146.197 Aug 14 10:47:51 free sshd[33625]: Illegal user administrator from 64.222.146.197 Aug 14 10:47:52 free sshd[33627]: Illegal user jack from 64.222.146.197 Aug 14 10:47:53 free sshd[33629]: Illegal user marvin from 64.222.146.197 Aug 14 10:47:58 free sshd[33631]: Illegal user andres from 64.222.146.197 Aug 14 10:47:59 free sshd[33633]: Illegal user barbara from 64.222.146.197 Aug 14 10:48:01 free sshd[33635]: Illegal user adine from 64.222.146.197 Aug 14 10:48:02 free sshd[33637]: Illegal user test from 64.222.146.197 Aug 14 10:48:04 free sshd[33639]: Illegal user guest from 64.222.146.197 Aug 14 10:48:07 free sshd[33641]: Illegal user db from 64.222.146.197 Aug 23 08:18:40 free sshd[22499]: Illegal user demo from 210.0.142.153 Aug 23 08:18:43 free sshd[22501]: Illegal user postgres from 210.0.142.153 Aug 23 08:18:45 free sshd[22503]: Illegal user postmaster from 210.0.142.153 Aug 23 08:18:47 free sshd[22505]: Illegal user postgres from 210.0.142.153 Aug 23 08:18:49 free sshd[22507]: Illegal user postgres from 210.0.142.153 Aug 23 08:18:52 free sshd[22509]: Illegal user ftp from 210.0.142.153 Aug 23
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
Also, most if not all of the blocks below are Asia netblocks that I have had more then 3 attempts to gain access to my servers. 220.0.0.0/8 202.0.0.0/7 134.208.0.0/16 218.0.0.0/8 210.0.0.0/7 221.0.0.0/8 219.0.0.0/8 195.116.0.0/16 59.0.0.0/8 195.133.91.0/24 222.0.0.0/8 Not always a good idea. A lot of Australian users have been having issues because of people doing this. More info here: http://forums.whirlpool.net.au/forum-replies.cfm?t=324246#r2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On 8/24/05, Michael Dale [EMAIL PROTECTED] wrote: Also, most if not all of the blocks below are Asia netblocks that I have had more then 3 attempts to gain access to my servers. 220.0.0.0/8 202.0.0.0/7 134.208.0.0/16 218.0.0.0/8 210.0.0.0/7 221.0.0.0/8 219.0.0.0/8 195.116.0.0/16 59.0.0.0/8 195.133.91.0/24 222.0.0.0/8 Not always a good idea. A lot of Australian users have been having issues because of people doing this. More info here: http://forums.whirlpool.net.au/forum-replies.cfm?t=324246#r2 You are right, its not a good idea, but when they attempt access I email the logs and and a nice email (NOT a 3 page complaint followed by demands and treat of legal recourse (I work at a large ISP so I know)) I get no where, those ISP's are leave me no other choice. I should also state that I remove the netblocks from my blackhole list about every 3 months, but the same blocks always end up back on the list. -Erik- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
i usually run a swatch script to monitor ssh login attempts and deny them via ipfw - most of them are addresses from people running linux trying to bruteforce there way in - the list can get pretty long. also whats most funny is that alot of those people try windows server exploits on me damn script kiddies -Ben Pat Maddox wrote: It's not that big of a deal...they didn't get in or anything. If you've got a server that's always connected to the internet, you'll see people trying to break in all the time. The more popular your server, the more frequent the attempts. This is just someone trying to log in via SSH - so as long as you have good passwords on all your accounts, and disable remote root login, you're fine. You may consider denying access after X failed login attempts. On 8/23/05, ro ro [EMAIL PROTECTED] wrote: Hi All, I was browsing through my log files and noticed that someone (or many people) is trying to gain illegal access to my server (see snippet from log files below). The below log file clearly indicates someone trying to hackaway at my personal server. I performed the following steps: nmap -v 210.0.142.153 and noticed that this person/institution had port 80 and 21 open. I visited their website and it appears to be someone from hongkong. http://www.chkpcc.edu.hk/ HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON THEIR WEBSITE - Confucian Ho Kwok Pui Chun College ? ? ? ? ? ? ? ? ? ? Address ??: Fu Shin Est., Taipo, N.T., HKSAR ? Tel ??: 852-2666-5926 Fax ??: 852-2660-7988 E-mail ??: [EMAIL PROTECTED] - When I saw the logs for the first time. I took the following steps: 1) AllowUsers in sshd contained only users that I wanted to have access to my ssh 2) Created a decent rulest within ipfw that permitted incoming access to only two ports ssh and http I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. Thanks RV Aug 23 08:19:03 free sshd[22519]: Illegal user lp from 210.0.142.153 Aug 23 08:19:06 free sshd[22521]: Illegal user admin from 210.0.142.153 Aug 23 08:19:08 free sshd[22523]: Illegal user admin from 210.0.142.153 Aug 23 08:19:10 free sshd[22525]: Illegal user admin from 210.0.142.153 Aug 23 08:19:12 free sshd[22527]: Illegal user admin from 210.0.142.153 Aug 23 08:19:15 free sshd[22529]: Illegal user admin from 210.0.142.153 Aug 23 08:19:17 free sshd[22531]: Illegal user admin from 210.0.142.153 Aug 23 08:19:19 free sshd[22533]: Illegal user admin from 210.0.142.153 Aug 23 08:19:22 free sshd[22535]: User root not allowed because not listed in AllowUsers Aug 23 08:19:24 free sshd[22537]: User root not allowed because not listed in AllowUsers Aug 23 08:19:27 free sshd[22539]: User root not allowed because not listed in AllowUsers Aug 23 08:19:29 free sshd[22541]: User root not allowed because not listed in AllowUsers Aug 23 08:19:33 free sshd[22543]: User root not allowed because not listed in AllowUsers Aug 23 08:19:35 free sshd[22545]: User root not allowed because not listed in AllowUsers Aug 23 08:19:37 free sshd[22547]: Illegal user apache from 210.0.142.153 Aug 23 08:19:40 free sshd[22549]: Illegal user dan from 210.0.142.153 Aug 23 08:19:42 free sshd[22551]: Illegal user electra from 210.0.142.153 Aug 23 08:19:44 free sshd[22553]: Illegal user student from 210.0.142.153 Aug 23 08:19:47 free sshd[22555]: Illegal user school from 210.0.142.153 Aug 23 08:19:49 free sshd[22557]: User mysql not allowed because not listed in AllowUsers Aug 11 20:16:10 free sshd[21585]: Illegal user test from 210.245.197.16 Aug 11 20:16:12 free sshd[21587]: Illegal user guest from 210.245.197.16 Aug 11 20:16:14 free sshd[21589]: Illegal user admin from 210.245.197.16 Aug 11 20:16:16 free sshd[21591]: Illegal user admin from 210.245.197.16 Aug 11 20:16:23 free sshd[21593]: Illegal user user from 210.245.197.16 Aug 11 20:16:32 free sshd[21601]: Illegal user test from 210.245.197.16 Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from 61.145.222.10 Aug 14 03:39:26 free sshd[32379]: Illegal user a from 61.145.222.10 Aug 14 03:39:31 free sshd[32381]: Illegal user a from 61.145.222.10 Aug 14 03:39:38 free sshd[32383]: Illegal user abuse from 61.145.222.10 Aug 14 10:47:49 free sshd[33623]: Illegal user admin from 64.222.146.197 Aug 14 10:47:51 free sshd[33625]: Illegal user administrator from 64.222.146.197 Aug 14 10:47:52 free sshd[33627]: Illegal user jack from 64.222.146.197 Aug 14 10:47:53 free sshd[33629]: Illegal user marvin from 64.222.146.197 Aug 14 10:47:58 free sshd[33631]: Illegal user andres from 64.222.146.197 Aug 14 10:47:59 free sshd[33633]: Illegal user barbara from 64.222.146.197 Aug 14 10:48:01 free sshd[33635]: Illegal user adine from 64.222.146.197
RE: Illegal access attempt - FreeBSD 5.4 Release - please advise
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dale Sent: Wednesday, August 24, 2005 4:40 AM To: Hornet Cc: ro ro; freebsd-questions@freebsd.org Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise Also, most if not all of the blocks below are Asia netblocks that I have had more then 3 attempts to gain access to my servers. 220.0.0.0/8 202.0.0.0/7 134.208.0.0/16 218.0.0.0/8 210.0.0.0/7 221.0.0.0/8 219.0.0.0/8 195.116.0.0/16 59.0.0.0/8 195.133.91.0/24 222.0.0.0/8 Not always a good idea. A lot of Australian users have been having issues because of people doing this. More info here: http://forums.whirlpool.net.au/forum-replies.cfm?t=324246#r2 Such automated blocking is becoming common in the better Intrusion Detection Systems, which talk to their associated firewalls. If you are creating what is effectively a simple IDS, here are a couple thoughts: First, blocking reserved areas of the IP space seems a little different than fighting malicious hackers and spammers, but in either case, see (ii) below. Second, if someone legitimate is being blocked, they'll probably call you. You can put an earlier rule in the firewall to let them in. If you are running an ecommerce site, you might not want to block half the world; invest in a more powerful firewall/IDS combination. See (iii) below. Third, if you are automating the creation of your blocks (a good idea) then you could also do the following: (i) create blocks as narrow as possible given the attacks. First block the IP address, then if several nearby addresses attack, block that subnet, etc. (ii) allow the blocks to time-out after a while (as many IDS blocks do). If (i) turns them back on, then increase the length of the time-out. (iii) review your blocks every now and then either by reviewing your firewall logs or by having your (perl?) program check if (ii) turns off a block only to have (i) turn it on again of if it never cycles. BTW, our firewall blocks so many attacks per minute that its multi-colored console display is better than a soap opera! -gayn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On Tue, 23 Aug 2005 21:22:34 -0700 (PDT) ro ro [EMAIL PROTECTED] wrote: I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. [...] Aug 23 08:19:03 free sshd[22519]: Illegal user lp from 210.0.142.153 You could restrict access to sshd on your system to trusted IPs only using /etc/hosts.allow. It's very effective and simple for your specific situation. man 5 hosts_access is a good start. -- Adi Pircalabu (PGP Key ID 0x04329F5E) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
On 8/24/05, ro ro [EMAIL PROTECTED] wrote: Hi All, I was browsing through my log files and noticed that someone (or many people) is trying to gain illegal access to my server (see snippet from log files below). The below log file clearly indicates someone trying to hackaway at my personal server. I performed the following steps: nmap -v 210.0.142.153 I recommend that you not make a habit of this. It will eventually result in a complaint to your ISP that you were attacking the system you scanned. Use dig to get a clue about who owns the network that is attacking you: $ dig -x 210.0.142.153 [...] ;; QUESTION SECTION: ;153.142.0.210.in-addr.arpa.IN PTR ;; AUTHORITY SECTION: 142.0.210.in-addr.arpa. 10800 IN SOA bbdns1.on-nets.com. dns.on-nets.com. 200109270110800 3600 604800 86400 There is no PTR info, but the attack is coming from a network controlled by on-nets.com (the SOA). Sending a complaint to them might be effective. You can use whois to try to figure out where to mail the complaint, but it is easier to use abuse.net (http://www.abuse.net) to send a complaint: you email the complaint to abuse.net, and they forward it to the correct address, so you don't have to spend a lot of time figuring out where to send it. [...] When I saw the logs for the first time. I took the following steps: 1) AllowUsers in sshd contained only users that I wanted to have access to my ssh 2) Created a decent rulest within ipfw that permitted incoming access to only two ports ssh and http I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. Get used to it. Seriously. The log you show appears to be an automated attack. You can expect a steady stream of them, mostly from worms (which I think is the case here), viruses, and zombie networks. Keep your system updated (use freebsd-update and portaudit), use appropriate firewall rules, and you shouldn't have a problem. [...] Aug 11 20:16:10 free sshd[21585]: Illegal user test from 210.245.197.16 Aug 11 20:16:12 free sshd[21587]: Illegal user guest from 210.245.197.16 Aug 11 20:16:14 free sshd[21589]: Illegal user admin from 210.245.197.16 Aug 11 20:16:16 free sshd[21591]: Illegal user admin from 210.245.197.16 Aug 11 20:16:23 free sshd[21593]: Illegal user user from 210.245.197.16 Aug 11 20:16:32 free sshd[21601]: Illegal user test from 210.245.197.16 [...] This particular attack is using a much smaller set of userIDs than some. I had one last night that was hitting hundreds of them. I sent a complaint to the ISP (via abuse.net), and about ten minutes later it quit. I don't know if it was because of the complaint, or if it just ran out of names to try, but it was gratifying just the same. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Illegal access attempt - FreeBSD 5.4 Release - please advise
How can I easily auto deny after x failed attempts? Is this an sshd setting? I could find it. Is there something in ports that will firewall off somebody who is brute forcing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pat Maddox Sent: Tuesday, August 23, 2005 9:27 PM To: FreeBSD Questions Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise It's not that big of a deal...they didn't get in or anything. If you've got a server that's always connected to the internet, you'll see people trying to break in all the time. The more popular your server, the more frequent the attempts. This is just someone trying to log in via SSH - so as long as you have good passwords on all your accounts, and disable remote root login, you're fine. You may consider denying access after X failed login attempts. On 8/23/05, ro ro [EMAIL PROTECTED] wrote: Hi All, I was browsing through my log files and noticed that someone (or many people) is trying to gain illegal access to my server (see snippet from log files below). The below log file clearly indicates someone trying to hackaway at my personal server. I performed the following steps: nmap -v 210.0.142.153 and noticed that this person/institution had port 80 and 21 open. I visited their website and it appears to be someone from hongkong. http://www.chkpcc.edu.hk/ HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON THEIR WEBSITE - Confucian Ho Kwok Pui Chun College 孔 教 學 院 何 郭 佩 珍 中 學 Address 地址: Fu Shin Est., Taipo, N.T., HKSAR 香港新界大埔富善村 Tel 電話: 852-2666-5926 Fax 傳真: 852-2660-7988 E-mail 電郵: [EMAIL PROTECTED] - When I saw the logs for the first time. I took the following steps: 1) AllowUsers in sshd contained only users that I wanted to have access to my ssh 2) Created a decent rulest within ipfw that permitted incoming access to only two ports ssh and http I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. Thanks RV Aug 23 08:19:03 free sshd[22519]: Illegal user lp from 210.0.142.153 Aug 23 08:19:06 free sshd[22521]: Illegal user admin from 210.0.142.153 Aug 23 08:19:08 free sshd[22523]: Illegal user admin from 210.0.142.153 Aug 23 08:19:10 free sshd[22525]: Illegal user admin from 210.0.142.153 Aug 23 08:19:12 free sshd[22527]: Illegal user admin from 210.0.142.153 Aug 23 08:19:15 free sshd[22529]: Illegal user admin from 210.0.142.153 Aug 23 08:19:17 free sshd[22531]: Illegal user admin from 210.0.142.153 Aug 23 08:19:19 free sshd[22533]: Illegal user admin from 210.0.142.153 Aug 23 08:19:22 free sshd[22535]: User root not allowed because not listed in AllowUsers Aug 23 08:19:24 free sshd[22537]: User root not allowed because not listed in AllowUsers Aug 23 08:19:27 free sshd[22539]: User root not allowed because not listed in AllowUsers Aug 23 08:19:29 free sshd[22541]: User root not allowed because not listed in AllowUsers Aug 23 08:19:33 free sshd[22543]: User root not allowed because not listed in AllowUsers Aug 23 08:19:35 free sshd[22545]: User root not allowed because not listed in AllowUsers Aug 23 08:19:37 free sshd[22547]: Illegal user apache from 210.0.142.153 Aug 23 08:19:40 free sshd[22549]: Illegal user dan from 210.0.142.153 Aug 23 08:19:42 free sshd[22551]: Illegal user electra from 210.0.142.153 Aug 23 08:19:44 free sshd[22553]: Illegal user student from 210.0.142.153 Aug 23 08:19:47 free sshd[22555]: Illegal user school from 210.0.142.153 Aug 23 08:19:49 free sshd[22557]: User mysql not allowed because not listed in AllowUsers Aug 11 20:16:10 free sshd[21585]: Illegal user test from 210.245.197.16 Aug 11 20:16:12 free sshd[21587]: Illegal user guest from 210.245.197.16 Aug 11 20:16:14 free sshd[21589]: Illegal user admin from 210.245.197.16 Aug 11 20:16:16 free sshd[21591]: Illegal user admin from 210.245.197.16 Aug 11 20:16:23 free sshd[21593]: Illegal user user from 210.245.197.16 Aug 11 20:16:32 free sshd[21601]: Illegal user test from 210.245.197.16 Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from 61.145.222.10 Aug 14 03:39:26 free sshd[32379]: Illegal user a from 61.145.222.10 Aug 14 03:39:31 free sshd[32381]: Illegal user a from 61.145.222.10 Aug 14 03:39:38 free sshd[32383]: Illegal user abuse from 61.145.222.10 Aug 14 10:47:49 free sshd[33623]: Illegal user admin from 64.222.146.197 Aug 14 10:47:51 free sshd[33625]: Illegal user administrator from 64.222.146.197 Aug 14 10:47:52 free sshd[33627]: Illegal user jack from 64.222.146.197 Aug 14 10:47:53 free sshd[33629]: Illegal user marvin from 64.222.146.197 Aug 14 10:47:58 free sshd[33631
Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
It's not that big of a deal...they didn't get in or anything. If you've got a server that's always connected to the internet, you'll see people trying to break in all the time. The more popular your server, the more frequent the attempts. This is just someone trying to log in via SSH - so as long as you have good passwords on all your accounts, and disable remote root login, you're fine. You may consider denying access after X failed login attempts. On 8/23/05, ro ro [EMAIL PROTECTED] wrote: Hi All, I was browsing through my log files and noticed that someone (or many people) is trying to gain illegal access to my server (see snippet from log files below). The below log file clearly indicates someone trying to hackaway at my personal server. I performed the following steps: nmap -v 210.0.142.153 and noticed that this person/institution had port 80 and 21 open. I visited their website and it appears to be someone from hongkong. http://www.chkpcc.edu.hk/ HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON THEIR WEBSITE - Confucian Ho Kwok Pui Chun College 孔 教 學 院 何 郭 佩 珍 中 學 Address 地址: Fu Shin Est., Taipo, N.T., HKSAR 香港新界大埔富善村 Tel 電話: 852-2666-5926 Fax 傳真: 852-2660-7988 E-mail 電郵: [EMAIL PROTECTED] - When I saw the logs for the first time. I took the following steps: 1) AllowUsers in sshd contained only users that I wanted to have access to my ssh 2) Created a decent rulest within ipfw that permitted incoming access to only two ports ssh and http I took the issue of creating a good firewall quite lightly and now I regret that decision.. now I have learnt... Can someone provide me with guidance on this issue and advise me on next steps to take action against such losers. Thanks RV Aug 23 08:19:03 free sshd[22519]: Illegal user lp from 210.0.142.153 Aug 23 08:19:06 free sshd[22521]: Illegal user admin from 210.0.142.153 Aug 23 08:19:08 free sshd[22523]: Illegal user admin from 210.0.142.153 Aug 23 08:19:10 free sshd[22525]: Illegal user admin from 210.0.142.153 Aug 23 08:19:12 free sshd[22527]: Illegal user admin from 210.0.142.153 Aug 23 08:19:15 free sshd[22529]: Illegal user admin from 210.0.142.153 Aug 23 08:19:17 free sshd[22531]: Illegal user admin from 210.0.142.153 Aug 23 08:19:19 free sshd[22533]: Illegal user admin from 210.0.142.153 Aug 23 08:19:22 free sshd[22535]: User root not allowed because not listed in AllowUsers Aug 23 08:19:24 free sshd[22537]: User root not allowed because not listed in AllowUsers Aug 23 08:19:27 free sshd[22539]: User root not allowed because not listed in AllowUsers Aug 23 08:19:29 free sshd[22541]: User root not allowed because not listed in AllowUsers Aug 23 08:19:33 free sshd[22543]: User root not allowed because not listed in AllowUsers Aug 23 08:19:35 free sshd[22545]: User root not allowed because not listed in AllowUsers Aug 23 08:19:37 free sshd[22547]: Illegal user apache from 210.0.142.153 Aug 23 08:19:40 free sshd[22549]: Illegal user dan from 210.0.142.153 Aug 23 08:19:42 free sshd[22551]: Illegal user electra from 210.0.142.153 Aug 23 08:19:44 free sshd[22553]: Illegal user student from 210.0.142.153 Aug 23 08:19:47 free sshd[22555]: Illegal user school from 210.0.142.153 Aug 23 08:19:49 free sshd[22557]: User mysql not allowed because not listed in AllowUsers Aug 11 20:16:10 free sshd[21585]: Illegal user test from 210.245.197.16 Aug 11 20:16:12 free sshd[21587]: Illegal user guest from 210.245.197.16 Aug 11 20:16:14 free sshd[21589]: Illegal user admin from 210.245.197.16 Aug 11 20:16:16 free sshd[21591]: Illegal user admin from 210.245.197.16 Aug 11 20:16:23 free sshd[21593]: Illegal user user from 210.245.197.16 Aug 11 20:16:32 free sshd[21601]: Illegal user test from 210.245.197.16 Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from 61.145.222.10 Aug 14 03:39:26 free sshd[32379]: Illegal user a from 61.145.222.10 Aug 14 03:39:31 free sshd[32381]: Illegal user a from 61.145.222.10 Aug 14 03:39:38 free sshd[32383]: Illegal user abuse from 61.145.222.10 Aug 14 10:47:49 free sshd[33623]: Illegal user admin from 64.222.146.197 Aug 14 10:47:51 free sshd[33625]: Illegal user administrator from 64.222.146.197 Aug 14 10:47:52 free sshd[33627]: Illegal user jack from 64.222.146.197 Aug 14 10:47:53 free sshd[33629]: Illegal user marvin from 64.222.146.197 Aug 14 10:47:58 free sshd[33631]: Illegal user andres from 64.222.146.197 Aug 14 10:47:59 free sshd[33633]: Illegal user barbara from 64.222.146.197 Aug 14 10:48:01 free sshd[33635]: Illegal user adine from 64.222.146.197 Aug 14 10:48:02 free sshd[33637]: Illegal user test from 64.222.146.197 Aug 14 10:48:04 free sshd[33639]: Illegal user guest from 64.222.146.197 Aug 14 10:48:07 free sshd[33641]: Illegal user db from 64.222.146.197