I just discovered by chance that, someone is
constantly trying to break into my openbsd box from:
201.244.17.162 [corporativos24417-162.etb.net.co]
203.113.85.26
211.20.79.85
71.159.221.78
82.207.116.209
whois details on each IP go to South America, Bangkok,
Taiwan... all over the world! Although i have sent
email to the email address in whois output, but the
attacker may be spoofing the IP.
By the pattern of attempt i can tell it is the same
user. I am asking the communitie's help to how to
block and, more properly, punish this unethical user.
this user is running the attack constantly. I will
have to shutdown the box for now and come back at
later time when someone had posted some solution on
the list.
My box is behind router-NAT which is allowing ssh. I
am not sure how this guy can get to my box which has
pvt IP address from the internet thru the firewall.
I looked for blocking access depending on source IP in
my dsl-router, but it is not that versatile.
I have now also setup hosts.allow and DenyUsers/Groups
in ssh config. is that enough?
here are some excerts from my logs:
Nov 9 03:24:51 <myserver> sshd[15822]: Did not
receive identification string from 218.76.217.234
Nov 10 16:55:19 <myserver> sshd[29183]: Did not
receive identification string from 82.207.116.209
Nov 10 16:58:58 <myserver> sshd[21261]: Failed
password for root from 82.207.116.209 port 35194 ssh2
Nov 10 16:58:59 <myserver> sshd[5372]: Received
disconnect from 82.207.116.209: 11: Bye Bye
Nov 17 07:41:15 <myserver> sshd[3254]: Failed password
for root from 219.145.142.30 port 55232 ssh2
Nov 17 07:41:15 <myserver> sshd[27682]: Received
disconnect from 219.145.142.30: 11: Bye Bye
Nov 21 07:51:16 <myserver> sshd[12865]: Did not
receive identification string from 201.244.17.162
Nov 21 07:53:38 <myserver> sshd[18020]: reverse
mapping checking getaddrinfo for corporativos24417-162
.etb.net.co [201.244.17.162] failed - POSSIBLE
BREAK-IN ATTEMPT!
Nov 21 07:53:38 <myserver> sshd[18020]: Failed
password for root from 201.244.17.162 port 56137 ssh2
Nov 21 07:53:38 <myserver> sshd[19158]: Received
disconnect from 201.244.17.162: 11: Bye Bye
and,
Nov 21 08:20:56 <myserver> sshd[13104]: Did not
receive identification string from 222.231.60.88
Nov 21 15:58:25 <myserver> sshd[16851]: Did not
receive identification string from 82.207.116.209
Nov 21 16:00:46 <myserver> sshd[23577]: Failed
password for root from 82.207.116.209 port 55925 ssh2
Nov 21 16:00:46 <myserver> sshd[6084]: Received
disconnect from 82.207.116.209: 11: Bye Bye
and,
Nov 22 00:46:33 <myserver> sshd[18504]: Did not
receive identification string from 61.159.228.193
Nov 22 08:41:41 <myserver> sshd[2410]: Did not receive
identification string from 71.159.221.78
Nov 22 08:42:25 <myserver> sshd[9687]: Failed password
for root from 71.159.221.78 port 63731 ssh2
Nov 22 08:42:25 <myserver> sshd[8814]: Received
disconnect from 71.159.221.78: 11: Bye Bye
and,
Nov 23 23:14:08 <myserver> sshd[26235]: Failed
password for root from 211.20.79.85 port 54407 ssh2
Nov 23 23:14:08 <myserver> sshd[16180]: Received
disconnect from 211.20.79.85: 11: Bye Bye
this is interesting...
$ whois 71.159.221.78
AT&T Internet Services SBCIS-SIS80 (NET-71-128-0-0-1)
71.128.0.0 -
71.159.255.255
ECLIPSE MARKETING-060311011540
SBC07115922107229060311011557 (NET-71-159-221-72-1)
71.159.221.72 -
71.159.221.79
# ARIN WHOIS database, last updated 2007-11-24 19:10
# Enter ? for additional hints on searching ARIN's
WHOIS database.
$
$ whois 201.244.17.162
OrgName: Latin American and Caribbean IP address
Regional Registry
OrgID: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY
ReferralServer: whois://whois.lacnic.net
NetRange: 201.0.0.0 - 201.255.255.255
CIDR: 201.0.0.0/8
NetName: LACNIC-201
NetHandle: NET-201-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: NS2.DNS.BR
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS3.AFRINIC.NET
Comment: This IP address range is under LACNIC
responsibility
Comment: for further allocations to users in LACNIC
region.
Comment: Please see http://www.lacnic.net/ for
further details,
Comment: or check the WHOIS server located at
whois.lacnic.net
RegDate: 2003-04-03
Updated: 2006-10-23
OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Whois Info
OrgTechPhone:
OrgTechEmail: [EMAIL PROTECTED]
# ARIN WHOIS database, last updated 2007-11-24 19:10
# Enter ? for additional hints on searching ARIN's
WHOIS database.
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6
queries
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information
about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this
data
% only for lawful purposes.
% 2007-11-25 03:07:31 (BRST -02:00)
inetnum: 201.244.17.160/29
status: reallocated
owner: UNIVERSIDAD ANTONIO NARIQO MEDELLIN
ownerid: CO-UANM-LACNIC
responsible: CARLOS ALBERTO LOPEZ VERA
address: Avda. La Playa Calle 52 No, 40, 88
address: 9999 - Medellin - An
country: CO
phone: +57 4 2161003 []
owner-c: CAV11
tech-c: CAV11
created: 20070212
changed: 20070212
inetnum-up: 201.244/16
nic-hdl: CAV11
person: CARLOS ALBERTO LOPEZ VERA
e-mail: [EMAIL PROTECTED]
address: Avda. La Playa Calle 52 No, 40, 88
address: 9999 - Medellin - An
country: CO
phone: +57 4 2161003 []
created: 20070212
changed: 20070212
% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.
Sorry for the discomfort.
-BG
________________________________
~~Kalyan-mastu~~
