Re: Breakin attempts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Steve Blackwell" <zephod@xxxxxxxxxx>
Sent: Tuesday, 2010/April/20 21:33


>I was looking at my logwatch mail and saw:
> 
> Failed logins from:
>    62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times
>    220.128.67.41: 9 times
> 
> Illegal users from:
>    62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times
>    220.128.67.41: 2 times
> 
> 
> Received disconnect:
>    11: Bye Bye : 379 Time(s)
> 
> so it appears that someone was trying to break in to my machine.
> 
> I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
> and it appears to be some kind of French ISP.
> Is there some place to report this?

Yes. You found it already. Look in the whois report.

It's useless though. All really good (and different) passwords for all
users, a clever trick with iptables to limit connections to one every
few minutes, or using an alternate port for "security through obscurity"
(not safe if the alternate port is discovered in a port scan), or a
private key login is what you need to make these attacks simple log
filler rather than an effective attack. Of course, combining methods
can work nicely. (I just have a perverse pleasure from both baiting the
barstads and tracking the nastiness on the net.)

This is the iptables trick. IPTABLES is filled with the path to
"iptables". Mind the wrap.

...
# Setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
  --log-level info
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
...

As it happens this allows ONE attempt every three minutes. I duplicate it
for any open ports like pop3s and imaps. (I could use -m multiport for it,
too, I suppose. I put different log prefixes on each just to keep track of
what is being attacked.) I figure at one attempt in every three plus
minutes the universe could grow cold before the password is discovered,
even with a distributed attempt that is not VERY well coordinated even for
a password as crude as ABCDHEFG.

{^_^}
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux