Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Nov 2011 15:38:41 -0500
From:      Allen <Unix.Hacker@comcast.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Breakin attempt
Message-ID:  <4EC2CDD1.6040201@comcast.net>
In-Reply-To: <20111024180745.N45635@crusader.bac.edu>
References:  <000001cc90c0$a0c16050$e24420f0$@org> <20111024180745.N45635@crusader.bac.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/24/2011 6:08 PM, William Myers wrote:
> I'm seeing the same thing from the same IP adresses.
>
> William Myers
> Associate Professor, Computer Studies
> 100 Belmont-Mount Holly Road
> Belmont Abbey College
> Belmont, NC 28012-1802
> (704) 461-6823
> FAX: (704) 461-5051
> myers@crusader.bac.edu
>
> On Sat, 22 Oct 2011, Admin ValhallaProjectet wrote:
>
>> Hello all
>>
>>
>>
>> FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat
>> Oct 22
>> 10:14:48 CEST 2011 hasse@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN
>> i386
>>
>> Firewall PF.
>>
>> Blocking China and some other related countries in that region.
>> Disabled ssh root logins
>>
>>
>>
>> Apparently, I'm under some kind of attack, for the last 3 days.
>>
>> Lots of attempts to ssh in as root from many different IP addresses.
>>
>> No bruteforce attempts.
>>
>> This just puzzles me. Using all these resources ? To achieve what ?
>>
>> Below is a one hour snip from my auth.log
>>
>> Nothing unusual in pflog
>>
>> Appreciate all ideas of how to proceed with this mather.
>>
>>
>>
>> Best regards Hasse
*SNIP*

I wouldn't worry much about this personally; It looks like bots. Have 
you patched everything? Have you considered moving SSH and other known 
ports to different ports?

Most canned exploits are going to use common methods. Therefore, if you 
patch your system, and move all services running to a non standard port, 
a lot of things no longer work. It's sort of like changing your system 
around in Windows to kill off most viruses that are coded in a manner 
that, simply moving directories around, completely disables their 
ability to work.

Basically; Patch your system, and keep it updated with security and bug 
fixes; Change the Ports used by services to non standard ones. Don't 
ever allow root to log in remotely, and keep your filters running. Once 
you change the ports; Most exploits and bots cease to function, so you 
don't really have to worry much about it.

I know of some people who actually just block all traffic except what 
they want allowed, and even then, they've got it running on none 
standard ports, and they block all of China, and even though I consider 
it a little racist to do that, they say it works well.

-Allen



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EC2CDD1.6040201>