On Nov 26, 2007 9:56 PM, badeguruji <[EMAIL PROTECTED]> wrote: > I just discovered by chance that, someone is > constantly trying to break into my openbsd box from: ,... > > whois details on each IP go to South America, Bangkok, > Taiwan... all over the world! Although i have sent > email to the email address in whois output, but the > attacker may be spoofing the IP. > > By the pattern of attempt i can tell it is the same > user. I am asking the communitie's help to how to > block and, more properly, punish this unethical user. > this user is running the attack constantly. I will > have to shutdown the box for now and come back at > later time when someone had posted some solution on > the list.
Punish??? Beside that being entirely impossible, what do you think the internet is, some kind of vigilante-infested cesspool? No, that's the web. On the internet we aren't all out to--nor even able to--get at each other. You should know what a DDoS is right? Your only hope is to try to do something in pf like rate limiting the spam connections. > > My box is behind router-NAT which is allowing ssh. I > am not sure how this guy can get to my box which has > pvt IP address from the internet thru the firewall. > > I looked for blocking access depending on source IP in > my dsl-router, but it is not that versatile. > > I have now also setup hosts.allow and DenyUsers/Groups > in ssh config. is that enough? > > here are some excerts from my logs: > > Nov 9 03:24:51 <myserver> sshd[15822]: Did not > receive identification string from 218.76.217.234 > > Nov 10 16:55:19 <myserver> sshd[29183]: Did not > receive identification string from 82.207.116.209 > Nov 10 16:58:58 <myserver> sshd[21261]: Failed > password for root from 82.207.116.209 port 35194 ssh2 > Nov 10 16:58:59 <myserver> sshd[5372]: Received > disconnect from 82.207.116.209: 11: Bye Bye > > Nov 17 07:41:15 <myserver> sshd[3254]: Failed password > for root from 219.145.142.30 port 55232 ssh2 > Nov 17 07:41:15 <myserver> sshd[27682]: Received > disconnect from 219.145.142.30: 11: Bye Bye > > Nov 21 07:51:16 <myserver> sshd[12865]: Did not > receive identification string from 201.244.17.162 > Nov 21 07:53:38 <myserver> sshd[18020]: reverse > mapping checking getaddrinfo for corporativos24417-162 > .etb.net.co [201.244.17.162] failed - POSSIBLE > BREAK-IN ATTEMPT! > Nov 21 07:53:38 <myserver> sshd[18020]: Failed > password for root from 201.244.17.162 port 56137 ssh2 > Nov 21 07:53:38 <myserver> sshd[19158]: Received > disconnect from 201.244.17.162: 11: Bye Bye > > and, > > Nov 21 08:20:56 <myserver> sshd[13104]: Did not > receive identification string from 222.231.60.88 > Nov 21 15:58:25 <myserver> sshd[16851]: Did not > receive identification string from 82.207.116.209 > Nov 21 16:00:46 <myserver> sshd[23577]: Failed > password for root from 82.207.116.209 port 55925 ssh2 > Nov 21 16:00:46 <myserver> sshd[6084]: Received > disconnect from 82.207.116.209: 11: Bye Bye > > and, > Nov 22 00:46:33 <myserver> sshd[18504]: Did not > receive identification string from 61.159.228.193 > Nov 22 08:41:41 <myserver> sshd[2410]: Did not receive > identification string from 71.159.221.78 > Nov 22 08:42:25 <myserver> sshd[9687]: Failed password > for root from 71.159.221.78 port 63731 ssh2 > Nov 22 08:42:25 <myserver> sshd[8814]: Received > disconnect from 71.159.221.78: 11: Bye Bye > > and, > Nov 23 23:14:08 <myserver> sshd[26235]: Failed > password for root from 211.20.79.85 port 54407 ssh2 > Nov 23 23:14:08 <myserver> sshd[16180]: Received > disconnect from 211.20.79.85: 11: Bye Bye > > > > this is interesting... > $ whois 71.159.221.78 > AT&T Internet Services SBCIS-SIS80 (NET-71-128-0-0-1) > 71.128.0.0 - > 71.159.255.255 > ECLIPSE MARKETING-060311011540 > SBC07115922107229060311011557 (NET-71-159-221-72-1) > 71.159.221.72 - > 71.159.221.79 > > # ARIN WHOIS database, last updated 2007-11-24 19:10 > # Enter ? for additional hints on searching ARIN's > WHOIS database. > $ > > > > $ whois 201.244.17.162 > > OrgName: Latin American and Caribbean IP address > Regional Registry > OrgID: LACNIC > Address: Rambla Republica de Mexico 6125 > City: Montevideo > StateProv: > PostalCode: 11400 > Country: UY > > ReferralServer: whois://whois.lacnic.net > > NetRange: 201.0.0.0 - 201.255.255.255 > CIDR: 201.0.0.0/8 > NetName: LACNIC-201 > NetHandle: NET-201-0-0-0-1 > Parent: > NetType: Allocated to LACNIC > NameServer: NS.LACNIC.NET > NameServer: NS2.DNS.BR > NameServer: TINNIE.ARIN.NET > NameServer: NS-SEC.RIPE.NET > NameServer: SEC3.APNIC.NET > NameServer: NS3.AFRINIC.NET > Comment: This IP address range is under LACNIC > responsibility > Comment: for further allocations to users in LACNIC > region. > Comment: Please see http://www.lacnic.net/ for > further details, > Comment: or check the WHOIS server located at > whois.lacnic.net > RegDate: 2003-04-03 > Updated: 2006-10-23 > > OrgTechHandle: LACNIC-ARIN > OrgTechName: LACNIC Whois Info > OrgTechPhone: > OrgTechEmail: [EMAIL PROTECTED] > > # ARIN WHOIS database, last updated 2007-11-24 19:10 > # Enter ? for additional hints on searching ARIN's > WHOIS database. > > % Joint Whois - whois.lacnic.net > % This server accepts single ASN, IPv4 or IPv6 > queries > > > % Copyright LACNIC lacnic.net > % The data below is provided for information purposes > % and to assist persons in obtaining information > about or > % related to AS and IP numbers registrations > % By submitting a whois query, you agree to use this > data > % only for lawful purposes. > % 2007-11-25 03:07:31 (BRST -02:00) > > inetnum: 201.244.17.160/29 > status: reallocated > owner: UNIVERSIDAD ANTONIO NARIQO MEDELLIN > ownerid: CO-UANM-LACNIC > responsible: CARLOS ALBERTO LOPEZ VERA > address: Avda. La Playa Calle 52 No, 40, 88 > address: 9999 - Medellin - An > country: CO > phone: +57 4 2161003 [] > owner-c: CAV11 > tech-c: CAV11 > created: 20070212 > changed: 20070212 > inetnum-up: 201.244/16 > > nic-hdl: CAV11 > person: CARLOS ALBERTO LOPEZ VERA > e-mail: [EMAIL PROTECTED] > address: Avda. La Playa Calle 52 No, 40, 88 > address: 9999 - Medellin - An > country: CO > phone: +57 4 2161003 [] > created: 20070212 > changed: 20070212 > > % whois.lacnic.net accepts only direct match queries. > % Types of queries are: POCs, ownerid, CIDR blocks, IP > % and AS numbers. > > > > Sorry for the discomfort. > > -BG > > > > ________________________________ > ~~Kalyan-mastu~~
