OT: Security....

David lists at systems-go.com.au
Thu Oct 28 13:35:24 UTC 2004



> -----Original Message-----
> From: fedora-list-bounces at redhat.com 
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of HaJo Schatz
> Sent: Thursday, 28 October 2004 17:37
> To: For users of Fedora Core releases
> Subject: Re: OT: Security....
> 
> 
> 
> On Wed, October 27, 2004 18:54, Jim Higson said:
> >> Good points James...you missed one though... port 22. I see more 
> >> attempts on SSH than any other port....stupid and LAME 
> attempts but 
> >> more on this than any other...
> >
> > Out of curiosity, how much does it really matter so long as 
> you have 
> > strong passwords?
> 
> I do see more brute force attempts @ ssh these days and start 
> wondering how much longer some script kiddie needs to make 
> the algortihm a bit more clever (and eg attack user names on 
> certain hosts which are likely to exist. This could be 
> harvested eg from email addresses...).

If you do some Googling, you will no doubt find the info on this in some
security forums that I found when it first started on Port 22 a few months
ago.  A couple of people seet up "honey pots" and waited and watched... the
result was that after one of the scripted attacks detects a well known
account / password combination, the attack changes fromn being scripted to
manual and a "root kit" is installed.  The attackers were not good at
covering their tracks in terms of command history, so that is what gave it
away as a manual as opposed to a scripted attack.  Here's a list of hack
source addresses that I've recorded over a period of two months:-

SSH Hack source addresses
	147.46.60.75
	220.70.167.67 
	141.45.183.18
	150.7.57.239
	155.207.19.247
	219.238.179.101
	220.69.12.96
	211.91.23.171
	67.42.142.160
	210.223.178.180
	216.93.183.244
	61.185.226.211
	222.99.91.173
	218.21.129.105
	66.55.167.210
	219.238.239.178
	193.0.122.75
	210.82.97.74
	211.174.185.89
	218.30.21.223
	200.153.74.133
	211.91.135.60
	212.182.102.66
	216.38.218.83
	163.26.22.18
	202.64.28.81
	203.251.202.83
	194.78.243.110
	220.64.160.18
	66.111.192.25
	200.231.30.83
	67.43.3.69
	147.142.232.200
	211.91.98.115
	61.166.6.60
	203.115.96.151
	211.98.106.33
	130.34.218.125
	210.107.239.79
	219.145.217.78
	130.34.218.125
	207.218.206.95
	165.229.192.210
	218.158.126.247
	211.114.239.129
	66.162.179.32
	163.19.1.111
	203.146.102.54
	61.234.47.16
	82.165.240.101
	210.22.128.135
	203.249.35.252
	210.103.69.193
	61.144.253.218
	211.114.246.8
	213.164.155.75
	218.234.208.2
	61.100.180.125
	212.92.88.253
	219.140.29.242
	202.155.108.211
	211.229.177.114
	144.230.99.53 
	222.45.45.132
	218.75.54.67

I checked one the other day and the IP was owned by a Korean University.

Regards,
David.
---------


> 
> I have hacked a script which tails /var/log/secure and reacts 
> on attempts to log in as root with password. Such offending 
> IPs are then denied port 22 access. Any comments, positive or 
> negative, on this?
> 
> 
> -- 
> HaJo Schatz <hajo at hajo.net>
> http://www.HaJo.Net
> 
> PGP-Key:  http://www.hajo.net/hajonet/keys/pgpkey_hajo.txt
> 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 




More information about the users mailing list