Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: what to do?

from [Bow Sineath] Network Security [Permanent Link]
Subject: Re: what to do?
Date: Fri, 26 Aug 2005 20:57:31 -0400
Unfortuately these types of attacks are fairly common. I see them on a regular basis and they have yet to cause me any problems. That doesn't mean that they aren't a security risk however.

I typically watch for the attacks and use ipfw or tcp wrappers to deny connections from IP blocks that show up in my logs. In your case I would deny connections from 80.68.0.0/16, however that will deny anyone from the 80.68.0.0 subnet. If you feel that these attacks are a serious threat then I would recommend doing the reverse and only allowing certain IP addresses through your firewall to sshd.

Also, make sure that all of the accounts on your machine have secure passwords. I would also recommend editing your sshd_config file and editing the AllowUsers line (also set PermitRootLogin to no). There are also some active intrusion detection systems that will detect failed connection attempts and automatically block IP addresses that have too many failed connections (I believe portsentry does this). There are a lot of ways you can deal with these attacks but to be honest, the best way is to just make sure all the accounts on your system have secure passwords and properly configure sshd. I block the IPs just to keep my logs clean and prevent any future, more advanced attacks.

Bow Sineath
Class of 2006, the Citadel
sineathj1@citadel.edu - bow.sineath@gmail.com

----- Original Message ----- From: "Bill Smith" <vinet138@yahoo.com>
To: <security-basics@securityfocus.com>
Sent: Thursday, August 25, 2005 3:30 AM
Subject: what to do?


Hi Guys,

I noticed that someone is trying to hacker into my
machine. Please see below is the content of
/var/log/security.
what I would like some advice of you guys is, what
will I do with these people?
btw, I do have FW

Cheers,

Bill

Aug 24 17:56:28 tiger sshd[8229]: Invalid user golfer
from 80.68.204.50
Aug 24 17:56:28 tiger sshd[8231]: Invalid user golfer
from 80.68.204.50
Aug 24 17:56:29 tiger sshd[8233]: Invalid user golfer
from 80.68.204.50
Aug 24 17:56:30 tiger sshd[8235]: Invalid user golf
from 80.68.204.50
Aug 24 17:56:31 tiger sshd[8237]: Invalid user golf
from 80.68.204.50
Aug 24 17:56:32 tiger sshd[8239]: Invalid user goose
from 80.68.204.50
Aug 24 17:56:32 tiger sshd[8241]: Invalid user goose
from 80.68.204.50
Aug 24 17:56:33 tiger sshd[8243]: Invalid user goose
from 80.68.204.50
Aug 24 17:56:34 tiger sshd[8245]: Invalid user gorges
from 80.68.204.50
Aug 24 17:56:35 tiger sshd[8247]: Invalid user gorges
from 80.68.204.50
Aug 24 17:56:35 tiger sshd[8249]: Invalid user gorges
from 80.68.204.50
Aug 24 17:56:36 tiger sshd[8251]: Invalid user gosling
from 80.68.204.50
Aug 24 17:56:37 tiger sshd[8253]: Invalid user gosling
from 80.68.204.50
Aug 24 17:56:38 tiger sshd[8255]: Invalid user gosling
from 80.68.204.50
Aug 24 17:56:38 tiger sshd[8257]: Invalid user gouge
from 80.68.204.50
Aug 24 17:56:39 tiger sshd[8259]: Invalid user gouge
from 80.68.204.50
Aug 24 17:56:40 tiger sshd[8261]: Invalid user gouge
from 80.68.204.50
Aug 24 17:56:40 tiger sshd[8263]: Invalid user graham
from 80.68.204.50
Aug 24 17:56:41 tiger sshd[8265]: Invalid user graham
from 80.68.204.50
Aug 24 17:56:42 tiger sshd[8267]: Invalid user graham
from 80.68.204.50
Aug 24 17:56:42 tiger sshd[8269]: Invalid user grahm
from 80.68.204.50
Aug 24 17:56:43 tiger sshd[8271]: Invalid user grahm
from 80.68.204.50
Aug 24 17:56:44 tiger sshd[8273]: Invalid user grahm
from 80.68.204.50
Aug 24 17:56:44 tiger sshd[8275]: Invalid user grandpa
from 80.68.204.50
Aug 24 17:56:45 tiger sshd[8277]: Invalid user grandpa
from 80.68.204.50
Aug 24 17:56:46 tiger sshd[8279]: Invalid user grandpa
from 80.68.204.50
Aug 24 17:56:47 tiger sshd[8281]: Invalid user green
from 80.68.204.50
Aug 24 17:56:48 tiger sshd[8283]: Invalid user green
from 80.68.204.50
Aug 24 17:56:48 tiger sshd[8285]: Invalid user green
from 80.68.204.50
Aug 24 17:56:49 tiger sshd[8287]: Invalid user grey
from 80.68.204.50
Aug 24 17:56:50 tiger sshd[8289]: Invalid user grey
from 80.68.204.50
Aug 24 17:56:50 tiger sshd[8291]: Invalid user grey
from 80.68.204.50
Aug 24 17:56:51 tiger sshd[8293]: Invalid user group
from 80.68.204.50
Aug 24 17:56:52 tiger sshd[8295]: Invalid user group
from 80.68.204.50
Aug 24 17:56:52 tiger sshd[8297]: Invalid user group
from 80.68.204.50
Aug 24 17:56:53 tiger sshd[8299]: Invalid user gryphon
from 80.68.204.50
Aug 24 17:56:54 tiger sshd[8301]: Invalid user gryphon
from 80.68.204.50
Aug 24 17:56:54 tiger sshd[8303]: Invalid user gryphon
from 80.68.204.50
Aug 24 17:56:55 tiger sshd[8305]: Invalid user gucci
from 80.68.204.50


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Windows Server 2000 port lock down, Ansgar -59cobalt- Wiechers
Next by Date:  Re: FW: Your opinion on Skype, cc
Previous by Thread:  Re: what to do?, Robert Escue
Next by Thread:  Re: what to do?, Leif Ericksen
Indexes:  [Date] [Thread] [Top] [All Lists]