Illegal access attempt - FreeBSD 5.4 Release - please advise

Bob Johnson fbsdlists at gmail.com
Wed Aug 24 20:24:39 GMT 2005 

On 8/24/05, ro ro <ricking505 at yahoo.com> wrote:
> Hi All,
> 
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
> 
> The below log file clearly indicates someone trying to
> hackaway at my personal server.
> 
> I performed the following steps: 
> 
> nmap -v  210.0.142.153
> 

I recommend that you not make a habit of this.  It will eventually
result in a complaint to your ISP that you were attacking the system
you scanned.

Use dig to get a clue about who owns the network that is attacking you:

$ dig -x 210.0.142.153 
[...]
;; QUESTION SECTION:
;153.142.0.210.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
142.0.210.in-addr.arpa. 10800   IN      SOA     bbdns1.on-nets.com.
dns.on-nets.com. 200109270110800 3600 604800 86400

There is no PTR info, but the attack is coming from a network
controlled by on-nets.com (the SOA).  Sending a complaint to them
might be effective.  You can use whois to try to figure out where to
mail the complaint, but it is easier to use abuse.net
(http://www.abuse.net) to send a complaint: you email the complaint to
abuse.net, and they forward it to the correct address, so you don't
have to spend a lot of time figuring out where to send it.

[...]
> When I saw the logs for the first time. I took the
> following steps: 
> 1) AllowUsers in sshd contained only users that I
> wanted to have access to my ssh 
> 2) Created a decent rulest within ipfw that permitted
> incoming access to only two ports ssh and http
> 
> I took the issue of creating a good firewall quite
> lightly and now I regret that decision.. now I have
> learnt... Can someone provide me with guidance on this
> issue and advise me on next steps to take action
> against such losers. 

Get used to it.  Seriously.  

The log you show appears to be an automated attack.  You can expect a
steady stream of them, mostly from worms (which I think is the case
here), viruses, and zombie networks.  Keep your system updated (use
freebsd-update and portaudit), use appropriate firewall rules, and you
shouldn't have a problem.


[...]
> Aug 11 20:16:10 free sshd[21585]: Illegal user test
> from 210.245.197.16
> Aug 11 20:16:12 free sshd[21587]: Illegal user guest
> from 210.245.197.16
> Aug 11 20:16:14 free sshd[21589]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:16 free sshd[21591]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:23 free sshd[21593]: Illegal user user
> from 210.245.197.16
> Aug 11 20:16:32 free sshd[21601]: Illegal user test
> from 210.245.197.16
[...]

This particular attack is using a much smaller set of userIDs than
some.  I had one last night that was hitting hundreds of them.  I sent
a complaint to the ISP (via abuse.net), and about ten minutes later it
quit.  I don't know if it was because of the complaint, or if it just
ran out of names to try, but it was gratifying just the same.

- Bob

More information about the freebsd-questions mailing list