Breakin attempts

jdow jdow at earthlink.net
Wed Apr 21 05:08:05 UTC 2010 

From: "Steve Blackwell" <zephod at cfl.rr.com>
Sent: Tuesday, 2010/April/20 21:33


>I was looking at my logwatch mail and saw:
> 
> Failed logins from:
>    62.39.117.140 (140.117.39-62.rev.gaoland.net): 139 times
>    220.128.67.41: 9 times
> 
> Illegal users from:
>    62.39.117.140 (140.117.39-62.rev.gaoland.net): 229 times
>    220.128.67.41: 2 times
> 
> 
> Received disconnect:
>    11: Bye Bye : 379 Time(s)
> 
> so it appears that someone was trying to break in to my machine.
> 
> I googled rev.gaoland.net (http://whois.domaintools.com/gaoland.net)
> and it appears to be some kind of French ISP.
> Is there some place to report this?

Yes. You found it already. Look in the whois report.

It's useless though. All really good (and different) passwords for all
users, a clever trick with iptables to limit connections to one every
few minutes, or using an alternate port for "security through obscurity"
(not safe if the alternate port is discovered in a port scan), or a
private key login is what you need to make these attacks simple log
filler rather than an effective attack. Of course, combining methods
can work nicely. (I just have a perverse pleasure from both baiting the
barstads and tracking the nastiness on the net.)

This is the iptables trick. IPTABLES is filled with the path to
"iptables". Mind the wrap.

...
# Setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
  --log-level info
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
...

As it happens this allows ONE attempt every three minutes. I duplicate it
for any open ports like pop3s and imaps. (I could use -m multiport for it,
too, I suppose. I put different log prefixes on each just to keep track of
what is being attacked.) I figure at one attempt in every three plus
minutes the universe could grow cold before the password is discovered,
even with a distributed attempt that is not VERY well coordinated even for
a password as crude as ABCDHEFG.

{^_^}

More information about the users mailing list