Visit Our UNIX and Linux User Community


Bruteforce attack on my pc


 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Bruteforce attack on my pc
# 1  
Old 10-15-2007
Bruteforce attack on my pc & IPFW

since putting my pc online, it keeps getting slower and i dig the logfile to have such a surprise:

Quote:
Oct 14 22:13:52 server sshd[68513]: Illegal user video from 200.41.81.228
Oct 14 22:13:52 server sshd[68513]: Failed password for illegal user video from 200.41.81.228 port 54273 ssh2
Oct 14 22:13:53 server sshd[68515]: Failed password for cpanel from 200.41.81.228 port 54337 ssh2
Oct 14 22:13:54 server sshd[68517]: Failed password for cpanel from 200.41.81.228 port 54409 ssh2
Oct 14 22:13:56 server sshd[68519]: Failed password for cpanel from 200.41.81.228 port 54475 ssh2
Oct 14 22:13:57 server sshd[68521]: Illegal user gnax from 200.41.81.228
Oct 14 22:13:57 server sshd[68521]: Failed password for illegal user gnax from 200.41.81.228 port 54545 ssh2
Oct 14 22:13:58 server sshd[68523]: Illegal user gnax from 200.41.81.228
Oct 14 22:13:58 server sshd[68523]: Failed password for illegal user gnax from 200.41.81.228 port 54610 ssh2
Oct 14 22:13:59 server sshd[68525]: Failed password for bind from 200.41.81.228 port 54673 ssh2
Oct 14 22:14:00 server sshd[68527]: Failed password for bind from 200.41.81.228 port 54742 ssh2
Oct 14 22:14:02 server sshd[68529]: Failed password for bind from 200.41.81.228 port 54819 ssh2
Oct 14 22:14:03 server sshd[68531]: Failed password for bind from 200.41.81.228 port 54883 ssh2
Oct 14 22:14:04 server sshd[68533]: Failed password for bind from 200.41.81.228 port 54949 ssh2
Oct 14 22:14:05 server sshd[68535]: Failed password for bind from 200.41.81.228 port 55013 ssh2
Oct 14 22:14:07 server sshd[68537]: Failed password for root from 200.41.81.228 port 55075 ssh2
this is just one of a many and I beleived it's a bruteforce attack
how do i block this IP 200.41.81.228 from trying to knock my online pc?

my system:
FreeBSD testing.net 6.2-STABLE-JE FreeBSD 6.2-STABLE-JE #0: Sat Apr 21 01:07:18 UTC 2007 root@server:/usr/obj/usr/src/sys/GENERIC i386

thank you

Last edited by rdns; 10-15-2007 at 03:39 PM..
# 2  
Old 10-15-2007
Probably the simplest way is not to block individual IPs but to switch SSH to a higher and obscure port number, switch to an exclusive public key authentication model, and only allow explicit blocks of IP to access if possible. Blocking IPs are usually futile because these IPs most often do not represent the real cracker's IP. They just crack into many vulnerable systems and use those as shields to break in others' systems for one-time only and so the list is essentially infinite, and you will see new IPs emerge every day. They have many of these victim hosts at their disposal so if you block one they simply switch to another.
# 3  
Old 10-15-2007
thanks! cbkihong,

i'm willing to change the sshd port
meanwhile i'm learning on IPFW and managed to get IPFW up

but while configuring the rules, I stucked at here:
Quote:
############### start of example ipfw rules script #############
#
ipfw -q -f flush # Delete all rules
# Set defaults
oif="tun0" # out interface
odns="192.0.2.11" # ISP's DNS server IP address
cmd="ipfw -q add " # build rule prefix
ks="keep-state" # just too lazy to key this each time
$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
$cmd 00501 deny tcp from any to any established
$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
$cmd 00611 allow udp from any to $odns 53 out via $oif $ks
################### End of example ipfw rules script ############
this is /etc/ipfw.rules script sourced at IPFW

just a simple question:
do i need to change
Quote:
oif="tun0" # out interface
odns="192.0.2.11" # ISP's DNS server IP address
1. tun0 to my ethernet id
2. odns to my ISP DNS server?

let say from ifconfig, my ethernet is "bge0"
and my DNS IP is 202.188.1.1 and 202.188.2.2

thanks for advice
# 4  
Old 10-15-2007
denyhosts might also be a useful tool.
# 5  
Old 10-16-2007
fail2ban

Quote:
Originally Posted by rdns
since putting my pc online, it keeps getting slower and i dig the logfile to have such a surprise
You really should look into a neat program called "fail2ban". I have it running on a Debian-server and it's great.
You can configure how many retries someone has after a password-failure and how long they are banned (two hours in my case). It continually scans your /var/log/auth.log and acts. Check out Main Page - Fail2ban for more info.

Quote:
2007-10-14 15:28:26,088 fail2ban.actions: WARNING [ssh] Ban 61.146.178.13
2007-10-14 17:28:26,809 fail2ban.actions: WARNING [ssh] Unban 61.146.178.13
2007-10-15 19:27:09,866 fail2ban.actions: WARNING [ssh] Ban 218.234.170.147
2007-10-15 21:27:10,316 fail2ban.actions: WARNING [ssh] Unban 218.234.170.147
# 6  
Old 10-16-2007
Cool, but...

I've looked at fail2ban a couple of times.

The one problem I can possibly see is if someone spoofed the address of a computer that you usually use to access the server.

Is it theoretically possible to create a DoS situation then? If not, let me know.

Say they keep failing using your address. Are they not effectively banning you from accessing your server.

Maybe not, just trying to verify one way or the other.
# 7  
Old 10-16-2007
Quote:
Originally Posted by JimJ
The one problem I can possibly see is if someone spoofed the address of a computer that you usually use to access the server.

Is it theoretically possible to create a DoS situation then? If not, let me know.
In the config-file, there is an "ignoreip" where you can exclude certain IP-addresses from being banned, you could put the admin-computer in there, I guess.
 

Previous Thread | Next Thread
Test Your Knowledge in Computers #723
Difficulty: Medium
Niklaus Emil Wirth, an Austrian computer scientist, designed several programming languages, including Pascal,
True or False?

7 More Discussions You Might Find Interesting

1. Emergency UNIX and Linux Support

DDOS attack please help!

Dear community, my site was recently attacjed by DDOS technique and goes down in a few minutes. My site runs under Debian/Apache2/Mysql. I identified the IPs who attack me and block it through iptable firewall from debian. Something like: iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP This... (7 Replies)
Discussion started by: Lord Spectre
7 Replies

2. UNIX for Dummies Questions & Answers

I need a database and a plan of attack!

Hi everyone, I've got an extensive collection of seismic files that I am trying to turn into workable subsurface data collection. It's all real-time history and it is being loaded onto the main linux computer from a collection of about 1000 CDs. There are about 4000 seismic files on each CD, and... (3 Replies)
Discussion started by: ws6transam
3 Replies

3. Cybersecurity

UUCP attack?

Is this an attack attempt? I got an e-mail from 'uucp Admin' last night and again this morning: What does it mean and what can I do about it? Thanks (4 Replies)
Discussion started by: ctafret
4 Replies

4. Cybersecurity

Network attack - so what?

In my logs I find entries about attacks on my system. I know IP addresses, I know date and time and I know what they tried to do. So what's the best I can do now? Tell everybody that there are cybercriminals on that network? Write an email to their admin? Anything else? (10 Replies)
Discussion started by: Action
10 Replies

5. Cybersecurity

Found attack from

Hi, I have a belkin router installed and a look at the security log has got me worried a little bit. Security log: Fri Jan 29 20:41:46 2010 =>Found attack from 68.147.232.199. Source port is 58591 and destination port is 12426 which use the TCP protocol. Fri Jan 29 20:41:46 2010 ... (1 Reply)
Discussion started by: jld
1 Replies

6. Cybersecurity

What I think is a DoS attack

About 3 days ago our Apache logs started filling with the following errors: mod_ssl: SSL handshake failed (server <weberver>:443, client 41.235.234.172) (OpenSSL library error follows) OpenSSL: error:1408A0B7:SSL routines:SSL3_GET_CLIENT_HELLO:no ciphers specified These initially were... (1 Reply)
Discussion started by: ccj4467
1 Replies

7. Cybersecurity

Replay Attack

REPLAY ATTACK. Can some one elobrate on measures to encounter this problem of replay atack on network. (3 Replies)
Discussion started by: Ashvin Gaur
3 Replies

Featured Tech Videos