Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Security help

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Security help
# 1  
Old 03-05-2005
Security help
I was reviewing my logs today and I found someone is trying to hack into my linux box. They are trying to ssh into my box which I have enabled but they did not guess the password. Is there anyway to block or drop this kind of stuff? Is this the new way to hack now?

Mar 4 19:44:18 nyuas01 sshd(pam_unix)[22506]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:23 nyuas01 sshd(pam_unix)[22508]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:28 nyuas01 sshd(pam_unix)[22510]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:33 nyuas01 sshd(pam_unix)[22512]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:37 nyuas01 sshd(pam_unix)[22514]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:41 nyuas01 sshd(pam_unix)[22516]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:46 nyuas01 sshd(pam_unix)[22518]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 4 19:44:50 nyuas01 sshd(pam_unix)[22520]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.52.83.42 user=root
Mar 5 06:44:40 nyuas01 sshd(pam_unix)[23084]: check pass; user unknown
Mar 5 06:44:40 nyuas01 sshd(pam_unix)[23084]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.167.68.198
Mar 5 10:16:59 nyuas01 sshd(pam_unix)[23136]: check pass; user unknown
Mar 5 10:16:59 nyuas01 sshd(pam_unix)[23136]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.27.160.9

Many thanks,
Yipster
yipster
# 2  
Old 03-05-2005
This is certainly nothing new, it's about the oldest attack in the book. A very good password is one important thing here. Need some help picking a good password? See: swordfish a password generator

You also could shutoff ssh service to the internet. I assume that you have a good reason for accepting ssh connections from the internet so this may not be an option. Blocking that ip address is a thought, but a determined cracker will move to another ip address.

You could try contacting the owner of the ip address. But I see it seems to originate at some school in Korea...
Code:
query: 211.52.83.42

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the IPv4 address.

IPv4 Address       : 211.52.83.0-211.52.83.255
Network Name       : BEAHWA-WOMAN-ACADEMY
Connect ISP Name   : ELIMNET
Connect Date       : 20020418
Registration Date  : 20031103

[ Organization Information ]
Organization ID    : ORG281566
Org Name           : BEAHWA-WOMAN-ACADEMY 
State              : KYONGGI
Address            : 12 pilwun-dong jongro-gu
Zip Code           : 110-044

[ Admin Contact Information]
Name               : Sukjin Jang
Org Name           : BEAHWA-WOMAN-ACADEMY
State              : KYONGGI
Address            : 12 pilwun-dong jongro-gu
Zip Code           : 110-044
Phone              : +82-2-399-0799
E-Mail             : domain@elim.net

[ Technical Contact Information ]
Name               : Sukjin Jang
Org Name           : BEAHWA-WOMAN-ACADEMY
State              : KYONGGI
Address            : 12 pilwun-dong jongro-gu
Zip Code           : 110-044
Phone              : +82-2-399-799
E-Mail             : domain@elim.net

So I don't know what to tell you. It's just life on the internet... Smilie
Last edited by Perderabo; 03-05-2005 at 10:32 PM..
# 3  
Old 03-06-2005
I also detected that some random hosts in Japan, Korea and China trying to brute-force SSH into my box. What I did was to set up some firewall rules with iptables to block all hosts from SSHing into my box except a few ones (from internal network, my machine at work etc.)

An example:

Code:
# Unconditionally accept everything via loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# This chain log and drop the offending packets
iptables -N log-n-drop
iptables -A log-n-drop -j LOG --log-prefix "<DROPPED PACKET> "
iptables -A log-n-drop -j DROP

# This chain filters incoming SSH packets
PRIVNET="192.168.0.0/16"
iptables -N ssh-input
# Allow host "aaa.bbb.ccc.ddd" in
iptables -A ssh-input --source aaa.bbb.ccc.ddd -j ACCEPT
iptables -A ssh-input --source $PRIVNET -j ACCEPT
iptables -A ssh-input -j log-n-drop

iptables -A INPUT -p tcp --destination-port 22 -j ssh-input

 
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question