[SATLUG] security, brute force ssh, and others

Charles Hogan cd_satl at futuretechsolutions.com
Tue Apr 29 03:33:32 CDT 2008


Apnic Blocks:
43.0.0.0/8
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8
202.0.0.0/8
203.0.0.0/8
210.0.0.0/8
211.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8

Afrinic Blocks:
41.0.0.0/8
196.0.0.0/8

Sample iptables rules to drop all incoming:
/sbin/iptables -A INPUT -p udp -s 43.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -p tcp -s 43.0.0.0/8 -j DROP

Address Space Info:
http://www.iana.org/numbers/

Don't get caught by the wrong folks when you are out there having fun :)

Charlie

Chris Lemire wrote:
> I want to secure my system even more than it is now.
> 
> Here's a sample of of my /var/log/secure.
> 
> Apr 29 01:56:29 localhost unix_chkpwd[18920]: password check failed for user (root)
> Apr 29 01:56:29 localhost sshd[18918]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74  user=root
> Apr 29 01:56:31 localhost sshd[18918]: Failed password for root from 61.7.231.74 port 54430 ssh2
> Apr 29 06:56:31 localhost sshd[18919]: Received disconnect from 61.7.231.74: 11: Bye Bye
> Apr 29 01:56:33 localhost unix_chkpwd[18924]: password check failed for user (root)
> Apr 29 01:56:33 localhost sshd[18921]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74  user=root
> Apr 29 01:56:35 localhost sshd[18921]: Failed password for root from 61.7.231.74 port 54843 ssh2
> Apr 29 06:56:36 localhost sshd[18922]: Received disconnect from 61.7.231.74: 11: Bye Bye
> Apr 29 01:56:38 localhost unix_chkpwd[18928]: password check failed for user (root)
> Apr 29 01:56:38 localhost sshd[18925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74  user=root
> Apr 29 01:56:39 localhost sshd[18925]: Failed password for root from 61.7.231.74 port 55316 ssh2
> Apr 29 06:56:40 localhost sshd[18926]: Received disconnect from 61.7.231.74: 11: Bye Bye
> Apr 29 01:56:43 localhost unix_chkpwd[18933]: password check failed for user (root)
> Apr 29 01:56:43 localhost sshd[18929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74  user=root
> Apr 29 01:56:44 localhost sshd[18929]: Failed password for root from 61.7.231.74 port 55760 ssh2
> Apr 29 06:56:44 localhost sshd[18930]: Received disconnect from 61.7.231.74: 11: Bye Bye
> Apr 29 01:56:47 localhost unix_chkpwd[18943]: password check failed for user (root)
> Apr 29 01:56:47 localhost sshd[18934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74  user=root
> Apr 29 01:56:49 localhost sshd[18934]: Failed password for root from 61.7.231.74 port 56199 ssh2
> Apr 29 06:56:49 localhost sshd[18935]: Received disconnect from 61.7.231.74: 11: Bye Bye
> Apr 29 01:56:51 localhost sshd[2771]: Received signal 15; terminating.
> Apr 29 01:56:52 localhost sshd[18945]: Invalid user admin from 61.7.231.74
> Apr 29 06:56:52 localhost sshd[18946]: input_userauth_request: invalid user admin
> Apr 29 01:56:52 localhost sshd[18945]: pam_unix(sshd:auth): check pass; user unknown
> Apr 29 01:56:52 localhost sshd[18945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.7.231.74 
> Apr 29 01:56:52 localhost sshd[18945]: pam_succeed_if(sshd:auth): error retrieving information about user admin
> Apr 29 01:56:53 localhost sshd[18945]: Failed password for invalid user admin from 61.7.231.74 port 56641 ssh2
> Apr 29 06:56:54 localhost sshd[18946]: Received disconnect from 61.7.231.74: 11: Bye Bye
> 
> That IP was traced back to Thailand. I was a hacker running backtrack 3 beta, I F*** him up with metasploit and others, at least a dos such as hping3, milw0rm, etc. /me fires up Backtrack 3 beta in VMWare Server. Check this out.
> 
> [root at localhost ~]# grep "Failed password" /var/log/secure* | wc -l
> 10955
> [root at localhost ~]# 
> 
> I could figure out how to block his stinking ip quickly when I thought I knew how, so I disabled ssh and that was the end of that. having ssh on a virtual private trusted network could help. Also I'm looking into security measures to stop brute force attacks. I'm thinking of installing ipcops on my second machine and have it act as a router, but im pretty happen with it's Debian Lenny Encrypted Logical Volumes right now. I want to do the same as the satlug and no-ip.com does. I want to block the western hemisphere no matter how much that offends them. Would someone tell me how to accomplish that. I'm loading up Backtrack 3 beta for that thailand ip right now, several ports opened.
> 
> 
> 
> Christopher Lemire <christopher.lemire at gmail.com>
> 
> SKYPE:	fakie_flip
> AIM:	good bye300
> IRC:	linux_user400354
> LQ FORUMS AND YIM: fakie_flip
> GTALK, JABBER AND MSN: recursivequicksort at jabber.org
>        
> ---------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.


More information about the SATLUG mailing list