[SGVLUG] ssh breakins

James Neff jneff at tethyshealth.com
Fri Aug 4 08:51:52 PDT 2006


Chances are these are script kiddies looking for something fun to do. 
Or, they are folks looking for an FTP site to host their Warez stuff.

I wrote a script that went through and pulled out the IP addresses from
the log files and added them to my iptables drop list.  I also
researched some of them, with the help of WHOIS from Network Solutions
web pages, and found the ones coming from eastern Europe and Asia.  I
banned entire subnets (some */7) from ever getting to my network again. 

Just make sure you have strong passwords and change them often.

You could also set up your firewall to only recieve connections from a
previously defined list of IP addresses.  This scheme would only work if
you knew ahead of time what the IP address of the client was. 

If you have spare time, you could call the ISP's tech support line
(lookup on Network Soultions' WHOIS page) and threaten litigation if
they do not police thier own network.  This will only work for US based
ISP's.  I sent out a few "cease and assist" e-mails to the abuse e-mail
address of several ISP's and one of them called me right back to
appologize. 

I always thought it would be fun to write a script (somehow trigger it
by the ssh dameon upon receiving a failed login attempt) that would
automatically portscan and DoS on the offending client. 

Good luck, not much you can do except just keep your server up to date
on security patches and change passwords often.

--James



Don Saxton wrote:

> I thought when I switched to rsa these break in attempts would be
> discouraged.
> What more can I do?
>
>
> It has nothing of value to anyone other than the users. Messing it up
> would mess up one non-profit.
>
>
> --------------------- SSHD Begin ------------------------
>
>
> Failed logins from:
>    66.253.169.114 (mr-min-169-114.dmisinetworks.net): 14 times
>
> Illegal users from:
>    66.253.169.114 (mr-min-169-114.dmisinetworks.net): 24 times
>
>
> Received disconnect:
>    11: Bye Bye : 38 Time(s)
>
> **Unmatched Entries**
> Address 69.57.150.12 maps to server114.xl-server.org, but this does
> not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 714 time(s)
>
>
>
>
>


More information about the SGVLUG mailing list