On 8/24/05, ro ro <[EMAIL PROTECTED]> wrote: > Hi All, > > I was browsing through my log files and noticed that > someone (or many people) is trying to gain illegal > access to my server (see snippet from log files > below). > > The below log file clearly indicates someone trying to > hackaway at my personal server. > > I performed the following steps: > > nmap -v 210.0.142.153 > > and noticed that this person/institution had port 80 > and 21 open. > > I visited their website and it appears to be someone > from hongkong. > http://www.chkpcc.edu.hk/ > > HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON > THEIR WEBSITE > ------------------------------------------------------------- > Confucian Ho Kwok Pui Chun College 孔 教 > 學 院 何 郭 佩 珍 > 中 學 > Address 地址: Fu Shin Est., Taipo, > N.T., HKSAR > 香港新界大埔富善村 > Tel 電話: 852-2666-5926 > Fax 傳真: 852-2660-7988 > E-mail 電郵: [EMAIL PROTECTED] > ------------------------------------------------------------- > > > When I saw the logs for the first time. I took the > following steps: > 1) AllowUsers in sshd contained only users that I > wanted to have access to my ssh > 2) Created a decent rulest within ipfw that permitted > incoming access to only two ports ssh and http > > I took the issue of creating a good firewall quite > lightly and now I regret that decision.. now I have > learnt... Can someone provide me with guidance on this > issue and advise me on next steps to take action > against such losers. > > Thanks > RV > > Aug 23 08:19:03 free sshd[22519]: Illegal user lp from > 210.0.142.153 > Aug 23 08:19:06 free sshd[22521]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:08 free sshd[22523]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:10 free sshd[22525]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:12 free sshd[22527]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:15 free sshd[22529]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:17 free sshd[22531]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:19 free sshd[22533]: Illegal user admin > from 210.0.142.153 > Aug 23 08:19:22 free sshd[22535]: User root not > allowed because not listed in AllowUsers > Aug 23 08:19:24 free sshd[22537]: User root not > allowed because not listed in AllowUsers > Aug 23 08:19:27 free sshd[22539]: User root not > allowed because not listed in AllowUsers > Aug 23 08:19:29 free sshd[22541]: User root not > allowed because not listed in AllowUsers > Aug 23 08:19:33 free sshd[22543]: User root not > allowed because not listed in AllowUsers > Aug 23 08:19:35 free sshd[22545]: User root not > allowed because not listed in AllowUsers > Aug 23 08:19:37 free sshd[22547]: Illegal user apache > from 210.0.142.153 > Aug 23 08:19:40 free sshd[22549]: Illegal user dan > from 210.0.142.153 > Aug 23 08:19:42 free sshd[22551]: Illegal user electra > from 210.0.142.153 > Aug 23 08:19:44 free sshd[22553]: Illegal user student > from 210.0.142.153 > Aug 23 08:19:47 free sshd[22555]: Illegal user school > from 210.0.142.153 > Aug 23 08:19:49 free sshd[22557]: User mysql not > allowed because not listed in AllowUsers > > > Aug 11 20:16:10 free sshd[21585]: Illegal user test > from 210.245.197.16 > Aug 11 20:16:12 free sshd[21587]: Illegal user guest > from 210.245.197.16 > Aug 11 20:16:14 free sshd[21589]: Illegal user admin > from 210.245.197.16 > Aug 11 20:16:16 free sshd[21591]: Illegal user admin > from 210.245.197.16 > Aug 11 20:16:23 free sshd[21593]: Illegal user user > from 210.245.197.16 > Aug 11 20:16:32 free sshd[21601]: Illegal user test > from 210.245.197.16 > > Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from > 61.145.222.10 > Aug 14 03:39:26 free sshd[32379]: Illegal user a from > 61.145.222.10 > Aug 14 03:39:31 free sshd[32381]: Illegal user a from > 61.145.222.10 > Aug 14 03:39:38 free sshd[32383]: Illegal user abuse > from 61.145.222.10 > Aug 14 10:47:49 free sshd[33623]: Illegal user admin > from 64.222.146.197 > Aug 14 10:47:51 free sshd[33625]: Illegal user > administrator from 64.222.146.197 > Aug 14 10:47:52 free sshd[33627]: Illegal user jack > from 64.222.146.197 > Aug 14 10:47:53 free sshd[33629]: Illegal user marvin > from 64.222.146.197 > Aug 14 10:47:58 free sshd[33631]: Illegal user andres > from 64.222.146.197 > Aug 14 10:47:59 free sshd[33633]: Illegal user barbara > from 64.222.146.197 > Aug 14 10:48:01 free sshd[33635]: Illegal user adine > from 64.222.146.197 > Aug 14 10:48:02 free sshd[33637]: Illegal user test > from 64.222.146.197 > Aug 14 10:48:04 free sshd[33639]: Illegal user guest > from 64.222.146.197 > Aug 14 10:48:07 free sshd[33641]: Illegal user db from > 64.222.146.197 > > Aug 23 08:18:40 free sshd[22499]: Illegal user demo > from 210.0.142.153 > Aug 23 08:18:43 free sshd[22501]: Illegal user > postgres from 210.0.142.153 > Aug 23 08:18:45 free sshd[22503]: Illegal user > postmaster from 210.0.142.153 > Aug 23 08:18:47 free sshd[22505]: Illegal user > postgres from 210.0.142.153 > Aug 23 08:18:49 free sshd[22507]: Illegal user > postgres from 210.0.142.153 > Aug 23 08:18:52 free sshd[22509]: Illegal user ftp > from 210.0.142.153 > Aug 23 08:18:54 free sshd[22511]: User news not > allowed because not listed in AllowUsers > Aug 23 08:18:56 free sshd[22513]: Illegal user demo > from 210.0.142.153 > Aug 23 08:18:58 free sshd[22515]: Illegal user > demouser from 210.0.142.153 > Aug 23 08:19:01 free sshd[22517]: User sshd not > allowed because not listed in AllowUsers > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" >
Yes, this is "normal" malice traffic, I am just blocking whole netblocks to try and minimize the amount of logins they try. I wrote a perl script to scan my /etc/access.log file, and update my firewall rules if host X attempts Y to many logins. Also, most if not all of the blocks below are Asia netblocks that I have had more then 3 attempts to gain access to my servers. 220.0.0.0/8 202.0.0.0/7 134.208.0.0/16 218.0.0.0/8 210.0.0.0/7 221.0.0.0/8 219.0.0.0/8 195.116.0.0/16 59.0.0.0/8 195.133.91.0/24 222.0.0.0/8 -Erik-
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
