From: "Steve Blackwell" <zephod@xxxxxxxxxx> Sent: Tuesday, 2010/April/20 21:33 >I was looking at my logwatch mail and saw: > > Failed logins from: > 62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times > 220.128.67.41: 9 times > > Illegal users from: > 62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times > 220.128.67.41: 2 times > > > Received disconnect: > 11: Bye Bye : 379 Time(s) > > so it appears that someone was trying to break in to my machine. > > I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net) > and it appears to be some kind of French ISP. > Is there some place to report this? Yes. You found it already. Look in the whois report. It's useless though. All really good (and different) passwords for all users, a clever trick with iptables to limit connections to one every few minutes, or using an alternate port for "security through obscurity" (not safe if the alternate port is discovered in a port scan), or a private key login is what you need to make these attacks simple log filler rather than an effective attack. Of course, combining methods can work nicely. (I just have a perverse pleasure from both baiting the barstads and tracking the nastiness on the net.) This is the iptables trick. IPTABLES is filled with the path to "iptables". Mind the wrap. ... # Setup the reject trap $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \ --log-level info $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset ... As it happens this allows ONE attempt every three minutes. I duplicate it for any open ports like pop3s and imaps. (I could use -m multiport for it, too, I suppose. I put different log prefixes on each just to keep track of what is being attacked.) I figure at one attempt in every three plus minutes the universe could grow cold before the password is discovered, even with a distributed attempt that is not VERY well coordinated even for a password as crude as ABCDHEFG. {^_^} -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
