Someone trying to break in

[trigggl]

I somehow managed to mess up my router a couple of days ago and had to connect straight to my cable modem. It never takes long for someone to try to break in. Well, I guess I need to turn ssh off, since that's what they tried to use. I looked at one log file and it looks like they didn't get in, but I'm not sure. I do have the IP address of where the attempts came from and was wondering what I should do with it. I guess they didn't expect me to notice. I monitor that on my GKrellM though. According to it, though, it looks like there were thirteen connections for about 15 min.What logs should I be checking in my Linux box, and what else should I be looking for? I will be turning ssh off.I did figure out something to do. I did a whois lookup using the Debian network tools. This is what came up:

% [whois.apnic.net node-2]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.htmlinetnum: 210.0.160.0 - 210.0.255.255netname: HGCdescr: Hutchison Global Communicationscountry: HKadmin-c: IH17-APtech-c: IH17-APmnt-by: APNIC-HMmnt-lower: MAINT-HK-HGCADMINchanged: andycw@hgc.com.hk 20040209status: ALLOCATED PORTABLEchanged: hm-changed@apnic.net 20040212source: APNICperson: ITMM HGCnic-hdl: IH17-APe-mail: hgcnetwork@hgc.com.hkaddress: 9/F Low Block ,address: Hutchison Telecom Tower,address: 99 Cheung Fai Rd, Tsing Yi,address: HONG KONGphone: +852-21229555fax-no: +852-21239523country: HKremarks: Send spam reports to abuse@on-nets.comremarks: and abuse reports to abuse@on-nets.comremarks: Please include detailed information andremarks: times in HKTchanged: hgcnetwork@hgc.com.hk 20050620mnt-by: MAINT-HK-HGCADMINsource: APNIC

So, I sent an email to abuse@on-nets.com with a copy of the relavent log lines showing the IP address of the offending person. I'm hoping that their service provider takes this type of thing seriusly. Edited June 3, 2007 by trigggl

[crp]

if you are sure you don't need ssh , then just keep it off.else, use either hosts.deny or hosts.allow to manage the connections.for now, I would change the iptable to block and log anything that comes from that ip address.check your messages logs to see if they ever made a successful guess.

[epp_b]

configure /etc/hosts.deny as:

sshd: ALL

and /etc/hosts.allow:

sshd: <your IP>ssdd: <partial IPs for ranges>...

[trigggl]

Thanks for the replies. Once I noticed someone was trying to get in by way of ssh, I turned it off and removed execution of it. Then I did put "sshd: ALL" in my hosts.deny. I also commented out all of the allows since I only have a one computer network and don't really need it for anything. I'm DHCPing to the service provider and my IPs won't be constant any more. I'll allow connections from work when I get the IP address.I checked the messages logs and there was no indication that they got in.They would have a hard time guessing my password, that is if they ever managed to guess my username. They tried admin, test, guest, webmaster, oracle, library, info, shell, linux, unix, eric and johny. I guess they didn't bother to scan the ports to realize I wasn't running a web server. My root password would be even harder to guess.

[ross549]

I would think it was likely that is was a random scan from a machine with a bot, unless you know someone from the offending IP.Adam

[Ryan]

I would think it was likely that is was a random scan from a machine with a bot, unless you know someone from the offending IP.Adam

Hi trigggl -I agree with Adam. I have been in the muck testing this stuff over the last few years, learning quite a bit through all the despair (I now refer to it as "fun") that comes along with a broadband connected PC. Never assume that an attack is "someone trying to get in." It may be, but is most likely typical net activity. Keep your illegal porn, plans to overthrow the government and any other sensitive materials off your Internet connected computers. This way you can stop worrying about security, because believe me - it's futile. You can never be fully secure if you are connected to the web. A federal agent conveyed this to me - and I have learned from much experience. The Buddhists have a philosophy which is now backed by findings in the field of quantum mechanics. They say that what you resist you draw towards you."Your resistance to 'what is' is causing your suffering" - The BuddhaRyan

[trigggl]

Well, silly me. I apparently forgot all about this post. I've got more that one computer now and also I connect to home from work using ssh. I forgot how bad the ssh attacks were, but started monitoring the ssh port on my gkrellm with my new computer. Actually, I connect to home by way of an IBM RS6000 that I got free from work. Well one day I noticed a huge amount of activity and got scared. I did some research and found fail2ban. It took a look of trial and error, but I finally got it working and also got Ssmtp working to email me when attempted breakins occur. I have it set to ban anyone that makes two failed ssh attempts with the exception of my work address and my other computer. It only bans anyone just long enough for them to give up and move on. I have to say it works pretty well and it's fun to see people try to get in now.I decided to make it even more secure by using a non-standard port and closed port 22 on my router. I opened the new port and chose one of my favorite PIN numbers as the port number. It makes my wife very nervous that I leave a port open that can be used to breakin, but now I feel so secure that it's no fun anymore. I haven't had anyone get banned in like 4 days. Hmm, it just occured to me that I need to update my Fail2ban settings to the new port number. Off to reconfigure...

[nlinecomputers]

For SSH connections I do two things. I only use encrypted keys and I use a different port. SSH uses 22 by default. I pick a high port at random like 7439 or something and use that. Keeps the riff raff from even knowing where to knock let along getting in.