Re: Find out host of IP

[Mike Bird <mgb-debian@yosemite.net>]

On Sunday 10 June 2007 09:29, David Baron wrote:
> >Someone is trying to ssh on to my system. Trying on several ports. Not the
> >first time, either. Thankfully, he does not have a password. Besides a
> > bunch of Deprecated option ReverseMappingCheck, so far no harm done.
> >
> >Since my logs have this IP number, how do I find out who it is?

Why do you have sshd binding to several ports?

Suppose attacker's IP address is 1.2.3.4.  Then "host 1.2.3.4" and
"whois 1.2.3.4" will give you some information.

Unless the neighbor kid is really stupid, the attacker is probably
operating from a foreign country via a chain of several hacked PCs.
You will most likely never know who it is.  The attacker is probably
simultaneously attacking thousands of systems.

> SSH is not exposed from local to internet!
> It is to a "VMZ" which is a virtual machine that may have been running at
> the time. But who is this IP (virtual machines are like 10.0.2.15 or such)
> ??

If the attacker addesss is 10.0.2.15 then it is either an attacker on your
LAN or it is an attacker receiving assistance (SNAT) from your firewall.

If the attacked address is 10.0.2.15 then SSH is probably being port-
-forwarded (DNAT) by your firewall.

In /etc/ssh/sshd_config you can cause ssh to bind only to 127.0.0.1, and/or
enable many other kinds of protection.  RTF "man 5 sshd_config" for details.

--Mike Bird


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org