Date: Wed, 24 Aug 2005 16:24:35 -0400 From: Bob Johnson <fbsdlists@gmail.com> To: ro ro <ricking505@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise Message-ID: <54db43990508241324599dce3a@mail.gmail.com> In-Reply-To: <20050824042234.12260.qmail@web34103.mail.mud.yahoo.com> References: <20050824042234.12260.qmail@web34103.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/24/05, ro ro <ricking505@yahoo.com> wrote: > Hi All, >=20 > I was browsing through my log files and noticed that > someone (or many people) is trying to gain illegal > access to my server (see snippet from log files > below). >=20 > The below log file clearly indicates someone trying to > hackaway at my personal server. >=20 > I performed the following steps:=20 >=20 > nmap -v 210.0.142.153 >=20 I recommend that you not make a habit of this. It will eventually result in a complaint to your ISP that you were attacking the system you scanned. Use dig to get a clue about who owns the network that is attacking you: $ dig -x 210.0.142.153=20 [...] ;; QUESTION SECTION: ;153.142.0.210.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 142.0.210.in-addr.arpa. 10800 IN SOA bbdns1.on-nets.com. dns.on-nets.com. 200109270110800 3600 604800 86400 There is no PTR info, but the attack is coming from a network controlled by on-nets.com (the SOA). Sending a complaint to them might be effective. You can use whois to try to figure out where to mail the complaint, but it is easier to use abuse.net (http://www.abuse.net) to send a complaint: you email the complaint to abuse.net, and they forward it to the correct address, so you don't have to spend a lot of time figuring out where to send it. [...] > When I saw the logs for the first time. I took the > following steps:=20 > 1) AllowUsers in sshd contained only users that I > wanted to have access to my ssh=20 > 2) Created a decent rulest within ipfw that permitted > incoming access to only two ports ssh and http >=20 > I took the issue of creating a good firewall quite > lightly and now I regret that decision.. now I have > learnt... Can someone provide me with guidance on this > issue and advise me on next steps to take action > against such losers.=20 Get used to it. Seriously. =20 The log you show appears to be an automated attack. You can expect a steady stream of them, mostly from worms (which I think is the case here), viruses, and zombie networks. Keep your system updated (use freebsd-update and portaudit), use appropriate firewall rules, and you shouldn't have a problem. [...] > Aug 11 20:16:10 free sshd[21585]: Illegal user test > from 210.245.197.16 > Aug 11 20:16:12 free sshd[21587]: Illegal user guest > from 210.245.197.16 > Aug 11 20:16:14 free sshd[21589]: Illegal user admin > from 210.245.197.16 > Aug 11 20:16:16 free sshd[21591]: Illegal user admin > from 210.245.197.16 > Aug 11 20:16:23 free sshd[21593]: Illegal user user > from 210.245.197.16 > Aug 11 20:16:32 free sshd[21601]: Illegal user test > from 210.245.197.16 [...] This particular attack is using a much smaller set of userIDs than some. I had one last night that was hitting hundreds of them. I sent a complaint to the ISP (via abuse.net), and about ten minutes later it quit. I don't know if it was because of the complaint, or if it just ran out of names to try, but it was gratifying just the same. - Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54db43990508241324599dce3a>