subject:"\[gentoo\-user\] OT \- ipkungfu perhaps not doing its job"

[gentoo-user] OT - ipkungfu perhaps not doing its job

2006-11-16 Thread Michael Sullivan

Can anyone tell me why I have about a hundred of these

Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 
Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 
Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 
Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 

when that IP address is in /etc/ipkungfu/deny_hosts.conf?  Here's my
rules; I don't understand them:

bullet ~ # ipkungfu -l
Chain INPUT (policy DROP 2 packets, 144 bytes)
 pkts bytes target prot opt in out source
destination
45662 6103K ACCEPT all  --  anyany anywhere
anywherestate RELATED,ESTABLISHED
0 0 LOGall  --  lo any 0.0.0.1
anywhereLOG level warning prefix `IPKF IPKungFu (--init)'
0 0 DROP   all  --  eth0   any 210.188.206.107
anywhere
0 0 DROP   all  --  eth0   any 222.90.206.62
anywhere
0 0 DROP   all  --  eth0   any 61.178.185.124
anywhere
0 0 DROP   all  --  eth0   any 65.98.76.197
anywhere
0 0 DROP   all  --  eth0   any 211.234.99.230
anywhere
0 0 DROP   all  --  eth0   any 60.191.34.155
anywhere
0 0 DROP   all  --  eth0   any sd-2742.dedibox.fr
anywhere
140 DROP   all  --  eth0   any nameservices.net
anywhere
155 DROP   all  --  eth0   any 222.135.146.45
anywhere
   28  1598 ACCEPT all  --  anyany camille.espersunited.com
anywhere 
7   351 ACCEPT all  --  anyany
catherine.espersunited.com  anywhere 
0 0 DROP   all  --  anyany anywhere
anywhererecent: CHECK seconds: 120 name: badguy side: source
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/sec
burst 5 LOG level warning prefix `IPKF flags ALL: '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF flags NONE: '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit:
avg 3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap XMAS): '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap FIN): '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN/FIN,SYN limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,FIN: '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp flags:SYN,RST/SYN,RST limit: avg 3/sec burst 5
LOG level warning prefix `IPKF flags SYN,RST: '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/sec burst
5 LOG level warning prefix `IPKF SYN,RST,ACK,FIN,URG: '
0 0 LOGtcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg
3/sec burst 5 LOG level warning prefix `IPKF PORTSCAN (nmap NULL): '
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN/FIN,SYN
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp flags:SYN,RST/SYN,RST
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP   tcp  --  eth0   any anywhere
anywheretcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
3   276 ACCEPT icmp --  anyany anywhere
anywhereicmp echo-request
   85  3400 LOGall  --  anyany anywhere
anywherestate INVALID limit: avg 3/sec burst 5 LOG level
warning prefix `IPKF Invalid TCP flag: '
   85  3400 DROP   all  --  anyany anywhere
anywherestate INVALID
0 0 LOGall  -f  eth0   any anywhere
anywherelimit: avg 3/sec burst 5 LOG level warning prefix
`IPKF Fragmented Packet: '
0 0 DROP   all  -f  eth0   any anywhere
anywhere
0

Re: [gentoo-user] OT - ipkungfu perhaps not doing its job

2006-11-16 Thread Alan McKinnon

On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
 Can anyone tell me why I have about a hundred of these

 Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
 logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
 Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
 logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
 Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
 logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
 Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
 logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45

 when that IP address is in /etc/ipkungfu/deny_hosts.conf?  Here's my
 rules; I don't understand them:

[snip]

     1    55 DROP       all  --  eth0   any     222.135.146.45
 anywhere

Some scipt kiddie is trying a brute force attack on your ftp port trying 
random combinations of user name and pasword every three seconds.

'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs 
to some maschine on network sdjnptt.net.cn and that turns out to be 
what looks like some chinese isp.

So, a chinese person is trying to exploit your machine. Hey, it happens. 
And will happen for about the rest of your life. The solution is to 
drop them at the firewall, and the above rule is doing exactly that.

This specific attack from this specific person at that specific address 
si no longer something you need to worry about :-)


alan

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - ipkungfu perhaps not doing its job

2006-11-16 Thread Michael Sullivan

On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote:
 On Thursday 16 November 2006 20:29, Michael Sullivan wrote:
  Can anyone tell me why I have about a hundred of these
 
  Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure;
  logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
  Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure;
  logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
  Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure;
  logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
  Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure;
  logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45
 
  when that IP address is in /etc/ipkungfu/deny_hosts.conf?  Here's my
  rules; I don't understand them:
 
 [snip]
 
  155 DROP   all  --  eth0   any 222.135.146.45
  anywhere
 
 Some scipt kiddie is trying a brute force attack on your ftp port trying 
 random combinations of user name and pasword every three seconds.
 
 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs 
 to some maschine on network sdjnptt.net.cn and that turns out to be 
 what looks like some chinese isp.
 
 So, a chinese person is trying to exploit your machine. Hey, it happens. 
 And will happen for about the rest of your life. The solution is to 
 drop them at the firewall, and the above rule is doing exactly that.
 
 This specific attack from this specific person at that specific address 
 si no longer something you need to worry about :-)
 
 
 alan
 

So why do I get the hourly log reports (from logcheck) saying that this
IP is trying to access my FTP?  How does vsftpd know about this if
they're being dropped at the firewall?

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] OT - ipkungfu perhaps not doing its job

Re: [gentoo-user] OT - ipkungfu perhaps not doing its job

Re: [gentoo-user] OT - ipkungfu perhaps not doing its job

3 matches

Site Navigation

Mail list logo

Footer information