Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Aug 2005 09:27:24 -0400
From:      nawcom <nawcom@nawcom.no-ip.com>
To:        Pat Maddox <pergesu@gmail.com>,  freebsd-questions@freebsd.org
Subject:   Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
Message-ID:  <430C75BC.4030704@nawcom.no-ip.com>
In-Reply-To: <810a540e0508232127737d91fb@mail.gmail.com>
References:  <20050824042234.12260.qmail@web34103.mail.mud.yahoo.com> <810a540e0508232127737d91fb@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
i usually run a swatch script to monitor ssh login attempts and deny 
them via ipfw - most of them are addresses from people running linux 
trying to bruteforce there way in - the list can get pretty long.

also whats most funny is that alot of those people try windows server 
exploits on me.... damn script kiddies....

-Ben
Pat Maddox wrote:

>It's not that big of a deal...they didn't get in or anything.  If
>you've got a server that's always connected to the internet, you'll
>see people trying to break in all the time.  The more popular your
>server, the more frequent the attempts.  This is just someone trying
>to log in via SSH - so as long as you have good passwords on all your
>accounts, and disable remote root login, you're fine.
>
>You may consider denying access after X failed login attempts.
>
>
>On 8/23/05, ro ro <ricking505@yahoo.com> wrote:
>  
>
>>Hi All,
>>
>>I was browsing through my log files and noticed that
>>someone (or many people) is trying to gain illegal
>>access to my server (see snippet from log files
>>below).
>>
>>The below log file clearly indicates someone trying to
>>hackaway at my personal server.
>>
>>I performed the following steps:
>>
>>nmap -v  210.0.142.153
>>
>>and noticed that this person/institution had port 80
>>and 21 open.
>>
>>I visited their website and it appears to be someone
>>from hongkong.
>>http://www.chkpcc.edu.hk/
>>
>>HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON
>>THEIR WEBSITE
>>-------------------------------------------------------------
>>Confucian Ho Kwok Pui Chun College ? ?
>>? ? ? ? ? ?
>>? ?
>>Address ??: Fu Shin Est., Taipo,
>>N.T., HKSAR
>>?????????
>>Tel ??: 852-2666-5926
>>Fax ??: 852-2660-7988
>>E-mail ??: info@chkpcc.edu.hk
>>-------------------------------------------------------------
>>
>>
>>When I saw the logs for the first time. I took the
>>following steps:
>>1) AllowUsers in sshd contained only users that I
>>wanted to have access to my ssh
>>2) Created a decent rulest within ipfw that permitted
>>incoming access to only two ports ssh and http
>>
>>I took the issue of creating a good firewall quite
>>lightly and now I regret that decision.. now I have
>>learnt... Can someone provide me with guidance on this
>>issue and advise me on next steps to take action
>>against such losers.
>>
>>Thanks
>>RV
>>
>>Aug 23 08:19:03 free sshd[22519]: Illegal user lp from
>>210.0.142.153
>>Aug 23 08:19:06 free sshd[22521]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:08 free sshd[22523]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:10 free sshd[22525]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:12 free sshd[22527]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:15 free sshd[22529]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:17 free sshd[22531]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:19 free sshd[22533]: Illegal user admin
>>from 210.0.142.153
>>Aug 23 08:19:22 free sshd[22535]: User root not
>>allowed because not listed in AllowUsers
>>Aug 23 08:19:24 free sshd[22537]: User root not
>>allowed because not listed in AllowUsers
>>Aug 23 08:19:27 free sshd[22539]: User root not
>>allowed because not listed in AllowUsers
>>Aug 23 08:19:29 free sshd[22541]: User root not
>>allowed because not listed in AllowUsers
>>Aug 23 08:19:33 free sshd[22543]: User root not
>>allowed because not listed in AllowUsers
>>Aug 23 08:19:35 free sshd[22545]: User root not
>>allowed because not listed in AllowUsers
>>Aug 23 08:19:37 free sshd[22547]: Illegal user apache
>>from 210.0.142.153
>>Aug 23 08:19:40 free sshd[22549]: Illegal user dan
>>from 210.0.142.153
>>Aug 23 08:19:42 free sshd[22551]: Illegal user electra
>>from 210.0.142.153
>>Aug 23 08:19:44 free sshd[22553]: Illegal user student
>>from 210.0.142.153
>>Aug 23 08:19:47 free sshd[22555]: Illegal user school
>>from 210.0.142.153
>>Aug 23 08:19:49 free sshd[22557]: User mysql not
>>allowed because not listed in AllowUsers
>>
>>
>>Aug 11 20:16:10 free sshd[21585]: Illegal user test
>>from 210.245.197.16
>>Aug 11 20:16:12 free sshd[21587]: Illegal user guest
>>from 210.245.197.16
>>Aug 11 20:16:14 free sshd[21589]: Illegal user admin
>>from 210.245.197.16
>>Aug 11 20:16:16 free sshd[21591]: Illegal user admin
>>from 210.245.197.16
>>Aug 11 20:16:23 free sshd[21593]: Illegal user user
>>from 210.245.197.16
>>Aug 11 20:16:32 free sshd[21601]: Illegal user test
>>from 210.245.197.16
>>
>>Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from
>>61.145.222.10
>>Aug 14 03:39:26 free sshd[32379]: Illegal user a from
>>61.145.222.10
>>Aug 14 03:39:31 free sshd[32381]: Illegal user a from
>>61.145.222.10
>>Aug 14 03:39:38 free sshd[32383]: Illegal user abuse
>>from 61.145.222.10
>>Aug 14 10:47:49 free sshd[33623]: Illegal user admin
>>from 64.222.146.197
>>Aug 14 10:47:51 free sshd[33625]: Illegal user
>>administrator from 64.222.146.197
>>Aug 14 10:47:52 free sshd[33627]: Illegal user jack
>>from 64.222.146.197
>>Aug 14 10:47:53 free sshd[33629]: Illegal user marvin
>>from 64.222.146.197
>>Aug 14 10:47:58 free sshd[33631]: Illegal user andres
>>from 64.222.146.197
>>Aug 14 10:47:59 free sshd[33633]: Illegal user barbara
>>from 64.222.146.197
>>Aug 14 10:48:01 free sshd[33635]: Illegal user adine
>>from 64.222.146.197
>>Aug 14 10:48:02 free sshd[33637]: Illegal user test
>>from 64.222.146.197
>>Aug 14 10:48:04 free sshd[33639]: Illegal user guest
>>from 64.222.146.197
>>Aug 14 10:48:07 free sshd[33641]: Illegal user db from
>>64.222.146.197
>>
>>Aug 23 08:18:40 free sshd[22499]: Illegal user demo
>>from 210.0.142.153
>>Aug 23 08:18:43 free sshd[22501]: Illegal user
>>postgres from 210.0.142.153
>>Aug 23 08:18:45 free sshd[22503]: Illegal user
>>postmaster from 210.0.142.153
>>Aug 23 08:18:47 free sshd[22505]: Illegal user
>>postgres from 210.0.142.153
>>Aug 23 08:18:49 free sshd[22507]: Illegal user
>>postgres from 210.0.142.153
>>Aug 23 08:18:52 free sshd[22509]: Illegal user ftp
>>from 210.0.142.153
>>Aug 23 08:18:54 free sshd[22511]: User news not
>>allowed because not listed in AllowUsers
>>Aug 23 08:18:56 free sshd[22513]: Illegal user demo
>>from 210.0.142.153
>>Aug 23 08:18:58 free sshd[22515]: Illegal user
>>demouser from 210.0.142.153
>>Aug 23 08:19:01 free sshd[22517]: User sshd not
>>allowed because not listed in AllowUsers
>>
>>
>>
>>
>>
>>
>>
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam?  Yahoo! Mail has the best spam protection around
>>http://mail.yahoo.com
>>_______________________________________________
>>freebsd-questions@freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>>
>>    
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>freebsd-questions@freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?430C75BC.4030704>