Illegal access attempt - FreeBSD 5.4 Release - please advise
Bob Johnson
fbsdlists at gmail.com
Wed Aug 24 20:24:39 GMT 2005
On 8/24/05, ro ro <ricking505 at yahoo.com> wrote:
> Hi All,
>
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
>
> The below log file clearly indicates someone trying to
> hackaway at my personal server.
>
> I performed the following steps:
>
> nmap -v 210.0.142.153
>
I recommend that you not make a habit of this. It will eventually
result in a complaint to your ISP that you were attacking the system
you scanned.
Use dig to get a clue about who owns the network that is attacking you:
$ dig -x 210.0.142.153
[...]
;; QUESTION SECTION:
;153.142.0.210.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
142.0.210.in-addr.arpa. 10800 IN SOA bbdns1.on-nets.com.
dns.on-nets.com. 200109270110800 3600 604800 86400
There is no PTR info, but the attack is coming from a network
controlled by on-nets.com (the SOA). Sending a complaint to them
might be effective. You can use whois to try to figure out where to
mail the complaint, but it is easier to use abuse.net
(http://www.abuse.net) to send a complaint: you email the complaint to
abuse.net, and they forward it to the correct address, so you don't
have to spend a lot of time figuring out where to send it.
[...]
> When I saw the logs for the first time. I took the
> following steps:
> 1) AllowUsers in sshd contained only users that I
> wanted to have access to my ssh
> 2) Created a decent rulest within ipfw that permitted
> incoming access to only two ports ssh and http
>
> I took the issue of creating a good firewall quite
> lightly and now I regret that decision.. now I have
> learnt... Can someone provide me with guidance on this
> issue and advise me on next steps to take action
> against such losers.
Get used to it. Seriously.
The log you show appears to be an automated attack. You can expect a
steady stream of them, mostly from worms (which I think is the case
here), viruses, and zombie networks. Keep your system updated (use
freebsd-update and portaudit), use appropriate firewall rules, and you
shouldn't have a problem.
[...]
> Aug 11 20:16:10 free sshd[21585]: Illegal user test
> from 210.245.197.16
> Aug 11 20:16:12 free sshd[21587]: Illegal user guest
> from 210.245.197.16
> Aug 11 20:16:14 free sshd[21589]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:16 free sshd[21591]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:23 free sshd[21593]: Illegal user user
> from 210.245.197.16
> Aug 11 20:16:32 free sshd[21601]: Illegal user test
> from 210.245.197.16
[...]
This particular attack is using a much smaller set of userIDs than
some. I had one last night that was hitting hundreds of them. I sent
a complaint to the ISP (via abuse.net), and about ten minutes later it
quit. I don't know if it was because of the complaint, or if it just
ran out of names to try, but it was gratifying just the same.
- Bob
More information about the freebsd-questions
mailing list