Unix.Hacker at comcast.net
Tue Nov 15 20:38:42 UTC 2011
On 10/24/2011 6:08 PM, William Myers wrote:
> I'm seeing the same thing from the same IP adresses.
> William Myers
> Associate Professor, Computer Studies
> 100 Belmont-Mount Holly Road
> Belmont Abbey College
> Belmont, NC 28012-1802
> (704) 461-6823
> FAX: (704) 461-5051
> myers at crusader.bac.edu
> On Sat, 22 Oct 2011, Admin ValhallaProjectet wrote:
>> Hello all
>> FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat
>> Oct 22
>> 10:14:48 CEST 2011 hasse at odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN
>> Firewall PF.
>> Blocking China and some other related countries in that region.
>> Disabled ssh root logins
>> Apparently, I'm under some kind of attack, for the last 3 days.
>> Lots of attempts to ssh in as root from many different IP addresses.
>> No bruteforce attempts.
>> This just puzzles me. Using all these resources ? To achieve what ?
>> Below is a one hour snip from my auth.log
>> Nothing unusual in pflog
>> Appreciate all ideas of how to proceed with this mather.
>> Best regards Hasse
I wouldn't worry much about this personally; It looks like bots. Have
you patched everything? Have you considered moving SSH and other known
ports to different ports?
Most canned exploits are going to use common methods. Therefore, if you
patch your system, and move all services running to a non standard port,
a lot of things no longer work. It's sort of like changing your system
around in Windows to kill off most viruses that are coded in a manner
that, simply moving directories around, completely disables their
ability to work.
Basically; Patch your system, and keep it updated with security and bug
fixes; Change the Ports used by services to non standard ones. Don't
ever allow root to log in remotely, and keep your filters running. Once
you change the ports; Most exploits and bots cease to function, so you
don't really have to worry much about it.
I know of some people who actually just block all traffic except what
they want allowed, and even then, they've got it running on none
standard ports, and they block all of China, and even though I consider
it a little racist to do that, they say it works well.
More information about the freebsd-questions