From owner-freebsd-questions@FreeBSD.ORG Wed Aug 24 20:24:39 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE49F16A41F for ; Wed, 24 Aug 2005 20:24:38 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B8CA43D49 for ; Wed, 24 Aug 2005 20:24:36 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so113703nzd for ; Wed, 24 Aug 2005 13:24:35 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XTY/SI9oZf/Qo+5BL7KzTAtDF2HlYUEoBH4r9HFu3DHVIv5J0xUGCIUCeZSMDdoUWun2Bv0OgUhYxP1oxGq1dJTWjhDaYc0mtmV0s4cpTXPD/h7nrDgFShebSJ5grhsz0xo5kSkyhrfsqiW/XopF3B6cTQl+1Kpoc+QQQmfaHok= Received: by 10.36.221.60 with SMTP id t60mr967011nzg; Wed, 24 Aug 2005 13:24:35 -0700 (PDT) Received: by 10.36.221.21 with HTTP; Wed, 24 Aug 2005 13:24:35 -0700 (PDT) Message-ID: <54db43990508241324599dce3a@mail.gmail.com> Date: Wed, 24 Aug 2005 16:24:35 -0400 From: Bob Johnson To: ro ro In-Reply-To: <20050824042234.12260.qmail@web34103.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050824042234.12260.qmail@web34103.mail.mud.yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 20:24:39 -0000 On 8/24/05, ro ro wrote: > Hi All, >=20 > I was browsing through my log files and noticed that > someone (or many people) is trying to gain illegal > access to my server (see snippet from log files > below). >=20 > The below log file clearly indicates someone trying to > hackaway at my personal server. >=20 > I performed the following steps:=20 >=20 > nmap -v 210.0.142.153 >=20 I recommend that you not make a habit of this. It will eventually result in a complaint to your ISP that you were attacking the system you scanned. Use dig to get a clue about who owns the network that is attacking you: $ dig -x 210.0.142.153=20 [...] ;; QUESTION SECTION: ;153.142.0.210.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 142.0.210.in-addr.arpa. 10800 IN SOA bbdns1.on-nets.com. dns.on-nets.com. 200109270110800 3600 604800 86400 There is no PTR info, but the attack is coming from a network controlled by on-nets.com (the SOA). Sending a complaint to them might be effective. You can use whois to try to figure out where to mail the complaint, but it is easier to use abuse.net (http://www.abuse.net) to send a complaint: you email the complaint to abuse.net, and they forward it to the correct address, so you don't have to spend a lot of time figuring out where to send it. [...] > When I saw the logs for the first time. I took the > following steps:=20 > 1) AllowUsers in sshd contained only users that I > wanted to have access to my ssh=20 > 2) Created a decent rulest within ipfw that permitted > incoming access to only two ports ssh and http >=20 > I took the issue of creating a good firewall quite > lightly and now I regret that decision.. now I have > learnt... Can someone provide me with guidance on this > issue and advise me on next steps to take action > against such losers.=20 Get used to it. Seriously. =20 The log you show appears to be an automated attack. You can expect a steady stream of them, mostly from worms (which I think is the case here), viruses, and zombie networks. Keep your system updated (use freebsd-update and portaudit), use appropriate firewall rules, and you shouldn't have a problem. [...] > Aug 11 20:16:10 free sshd[21585]: Illegal user test > from 210.245.197.16 > Aug 11 20:16:12 free sshd[21587]: Illegal user guest > from 210.245.197.16 > Aug 11 20:16:14 free sshd[21589]: Illegal user admin > from 210.245.197.16 > Aug 11 20:16:16 free sshd[21591]: Illegal user admin > from 210.245.197.16 > Aug 11 20:16:23 free sshd[21593]: Illegal user user > from 210.245.197.16 > Aug 11 20:16:32 free sshd[21601]: Illegal user test > from 210.245.197.16 [...] This particular attack is using a much smaller set of userIDs than some. I had one last night that was hitting hundreds of them. I sent a complaint to the ISP (via abuse.net), and about ten minutes later it quit. I don't know if it was because of the complaint, or if it just ran out of names to try, but it was gratifying just the same. - Bob