Hi Shawn.
This seems to be an on-going script attack. I also see the
script-not-so-kiddy is spoofing their address, a natural reaction to a few
unpleasant calls from isp to drop the fun :-)
I would suggest you check spoofing protection settings in your kernel
http://ldp.paradoxical.co.uk/HOWTO/Cipe+Masq-6.html
cat /proc/sys/net/ipv4/conf/all/rp_filter
you should have a 1 there, if not echo 1 there, and spoofing protection
would
be on, you may also want to do that on all your interfaces, but i think you
only have one :-)
Cheers
Szemir
On April 18, 2005 00:41, Shawn wrote:
> Hi all.
>
> I have a server running SSH, and am noticing a lot of attempts to log in
> from a few specific IP addresses. I know these addresses are not
> authorized attempts, and recognize them as a scripted probe. But, I'd like
> to block these attempts at the firewall if I can. The downside is that I
> can't just create a forwarding rule for a specific IP addresses. The
> authorized people are mobile, and will be connecting from a number of
> different/random IP addresses - but they won't be failing a bunch of types
> in less than a few minutes...
>
> So, I thought about building a banned list of IPs, but the GUI for IPCop
> doesn't seem to support this. I also have tried to update the Snort rules,
> but these seem to be allowing the attacks through still. I would prefer an
> IDS rule that can recognize these attacks and block them, but I don't know
> snort that well... Failing that, I'm trying to figure out the "right" way
> to build a banned list.
>
> Thanks in advance for any tips.
>
> Shawn
>
> here's a sample of my SSH logs:
> Apr 15 17:34:17 [sshd] Invalid user ionel from 24.56.145.29
> Apr 15 17:34:18 [sshd] Invalid user edu from 24.56.145.29
> Apr 15 17:34:21 [sshd] Invalid user gov from 24.56.145.29
> Apr 15 17:34:23 [sshd] Invalid user mil from 24.56.145.29
> Apr 15 17:34:25 [sshd] Invalid user army from 24.56.145.29
> Apr 15 17:34:29 [sshd] Invalid user card from 24.56.145.29
> Apr 15 17:34:31 [sshd] Invalid user hack from 24.56.145.29
> Apr 15 17:34:33 [sshd] Invalid user idiot from 24.56.145.29
> Apr 15 17:34:35 [sshd] Invalid user mama from 24.56.145.29
> Apr 15 17:34:37 [sshd] Invalid user parinte from 24.56.145.29
> Apr 15 17:34:39 [sshd] Invalid user religie from 24.56.145.29
> Apr 15 17:34:41 [sshd] Invalid user zeus from 24.56.145.29
> Apr 16 05:35:06 [sshd] Did not receive identification string from
> 67.19.157.18 Apr 16 05:41:04 [sshd] reverse mapping checking getaddrinfo
> for
> 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Apr 16 05:41:05 [sshd] Invalid user patrick from 67.19.157.18
> Apr 16 05:41:05 [sshd] reverse mapping checking getaddrinfo for
> 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Apr 16 05:41:05 [sshd] Invalid user patrick from 67.19.157.18
> Apr 16 05:41:05 [sshd] reverse mapping checking getaddrinfo for
> 18.67-19-157.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> <SNIP>
> Apr 16 06:25:27 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:30 [sshd] Invalid user claudius from 166.70.185.52
> Apr 16 06:25:30 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:33 [sshd] Invalid user officeinn from 166.70.185.52
> Apr 16 06:25:33 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:35 [sshd] Invalid user sly from 166.70.185.52
> Apr 16 06:25:35 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:38 [sshd] Invalid user xman from 166.70.185.52
> Apr 16 06:25:38 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:41 [sshd] Invalid user tehnolog from 166.70.185.52
> Apr 16 06:25:41 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:44 [sshd] Invalid user ambulator from 166.70.185.52
> Apr 16 06:25:44 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:47 [sshd] Invalid user calcul from 166.70.185.52
> Apr 16 06:25:47 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:51 [sshd] Invalid user contat from 166.70.185.52
> Apr 16 06:25:51 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:54 [sshd] Invalid user diabet from 166.70.185.52
> Apr 16 06:25:54 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:25:57 [sshd] Invalid user drweb from 166.70.185.52
> Apr 16 06:25:58 [sshd] Address 166.70.185.52 maps to
> 53.185.70.166.altazip.com, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Apr 16 06:26:01 [sshd] Invalid user echopedi from 166.70.185.52
>
> _______________________________________________
> clug-talk mailing list
> [email protected]
> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
> **Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
