Re: SSH attack

To: debian-user@lists.debian.org
Subject: Re: SSH attack
From: Ralph Katz <ralph.katz@rcn.com>
Date: Wed, 05 Oct 2005 10:25:53 -0400
Message-id: <[🔎] 4343E271.6090106@rcn.com>
In-reply-to: <[🔎] 20051004194803.11e60934.dfox@m206-157.dsl.tsoft.com>
References: <[🔎] 20051004194803.11e60934.dfox@m206-157.dsl.tsoft.com>

On 10/04/2005 11:00 PM, David E. Fox wrote:
> I've logged thousands of attempts from chinanet
> and kornet within the last few days. I've reported (as if that would do
> any good) with "Free Tibet" and of course copies of the log - 500K in
> one instance(!) but am more interested in just blocking their
> entire /24 if need be.
> 
> The question is - how?
> 
> IP 210.95.212.131 (using whois) belongs to pubnet.ne.kr. I'd send a
> heads up email to abuse@pubnet.ne.kr and CC it to ip@pubnet.ne.kr.
> 
>> Please get back to me fast.  I took the compilers off of the system,
> 
> If you only see "Failed attempt" then you're probably safe - there are
> probably script kiddies running password sniffers or crackers. Note the
> port(s) tried - in my case they are non-standard ones - and block them
> with your firewall. Check and/or install chkrootkit.
> 
> I certainly hope you're not infected, and if so, you'll need to
> reinstall.

The list archives have many threads on this subject.  Also, an excellent
resource is:

"Automatically Blocking SSH Attackes From Script Kiddies?"
http://www.debian-administration.org/articles/250

I'm using the new package fail2ban.  It works perfectly on my sarge box.

~$ apt-cache show fail2ban
Package: fail2ban
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 232
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Architecture: all
Version: 0.5.3-1
Depends: python, iptables
Conffiles:
 /etc/fail2ban.conf 4f4ac6ce1c7382320913d89eb724b7ef
 /etc/logrotate.d/fail2ban 71601dd15bc51350735d4b880ed3c730
 /etc/default/fail2ban ff4b5596a6665fc0cb77e46ffa150b4c
 /etc/init.d/fail2ban 1e8598dce966cc856372c04ebbfbb97c
Description: bans IPs that cause multiple authentication errors
 Monitors (in daemon mode) or just scans log files (e.g. /var/log/auth.log,
 /var/log/apache/access.log) and temporarily bans failure-prone
 addresses by updating existing firewall rules.  Currently, by default,
 supports ssh/apache but configuration can be easily extended for scanning
 the other ASCII log files. Firewall rules are given in the config file,
 thus it can be adopted to be used with a variety of firewalls (e.g.
iptables,
 ipfwadm).
 .
 Homepage: http://www.sourceforge.net/projects/fail2ban

Regards,
Ralph

Reply to:

References:
- Re: SSH attack
  - From: "David E. Fox" <dfox@m206-157.dsl.tsoft.com>

Prev by Date: Re: how to show refresh rate of ttys?
Next by Date: start firefox in particular desktop (under XFCE4)
Previous by thread: Re: SSH attack
Next by thread: Re: SSH attack
Index(es):
- Date
- Thread