I work at an edu that should know better, and until recently, they pretty much allowed anything. Complete wild wild west. -Josh
On Thu, Mar 11, 2010 at 10:26 AM, Brett <[email protected]> wrote: > I'm sure with a simple grep and awk I could pull all the user names. But > they're in order, and fairly large. > > I've implemented denyhosts, and I've changed the default ssh port. There > were no successfull logins from that ip. > > I'm still surprised at the attack from perdue.edu i would have thought > they would have an internal firewall preventing people from doing things > like this. > > Sent from my iPhone > > On Mar 11, 2010, at 7:04, Dimitrios Kapsalis <[email protected]> wrote: > > I have seen similar on my home pc as well. Running ssh on a windows box so > the invalid login attempts are being saved in the Event log. > > Any way to harvest these user names? To see what is being used by the > attackers, skimming through the event log it definitely looks to be > dictionary based. > > > > On Wed, Mar 10, 2010 at 11:22 PM, Matt Erasmus <<[email protected]> > [email protected]> wrote: > >> I wouldn't worry too much about SSH brute force attempts. There are >> many many of these attacks happening daily and unless you have some >> stupid user account like "bob" with "bob123" as your password, you >> should be alright. >> >> If you really want to be a little more proactive, take a look at >> Denyhosts [1] which will help stem the tide. There are also iptables >> rules which you can use to throttle back the attacks. I'll see if I >> can dig these up for you. >> >> As for logged in users, check your last log or even >> auth.log/secure.log depending on distro. You could probably script >> something to alert you should there be a login from elsewhere. But >> honestly, once that happens it's game over. The time frame from >> successful login to complete rooting of the server is very very low. >> >> For Apache, you should be checking your access/error logs. I haven't >> had a chance to really look into this though... >> >> While I'm thinking about it, check out OSSEC [2]. Very very cool HIDS >> which runs on Linux/Windows. It'll help a lot with most of your >> issues. >> >> </0.02c> >> >> [1] <http://denyhosts.sourceforge.net/>http://denyhosts.sourceforge.net/ >> [2] <http://www.ossec.net>http://www.ossec.net >> >> On 11 March 2010 01:49, Brett < <[email protected]>[email protected]> >> wrote: >> > I realized I haven't checked my logs on my new server ( bad me ). But >> > I figured I wouldn't find anything, it's only my personal server. I >> > checked the logs today to find thousands of login attempts. Most tried >> > to brute my root password, though I don't have a root user. There were >> > a bunch of user name attempts for what looked like a name dictionary >> > attack. Some were from busness static ip's and there were even some >> > from <http://perdu.edu>perdu.edu >> > >> > Now for my questions. What should I look for to find out if they >> > actually got in? Parse the auth log for those ip's for a successfull >> > login? I also run a web server on that machine, is there something I >> > can look for to see If they got into that? Also is there any recourse >> > I have? Or should I just let it go and harden my server even more? >> >> >> >> -- >> Matt >> @z0nbi >> _______________________________________________ >> Pauldotcom mailing list >> <[email protected]>[email protected] >> <http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: <http://pauldotcom.com>http://pauldotcom.com >> > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: <http://pauldotcom.com>http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- - Josh
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
