Break-in Attempts

Ken Leyba kenleyba
Sun Jan 8 16:12:49 PST 2006 

Yes, I agree, scripted attacks.  I've seen these for quite a few
months.  I finally used TCP wrappers to allow just my non-routable
addresses and my home IP address on my web server at work.  I suppose
I could have used IP Tables to drop the attempts.  Either way with TCP
Wrappers I now only see two attemps at the most per day and then the
script must be smart enough not to try the user accounts after that.

Ken

On 1/8/06, Net Llama! <netllama at linux-sxs.org> wrote:
> I regret that these aren't new, and are likely automated attacks from
> bots.  I've seen these types of brute force attacks going back over a
> year ago.
>
> On 01/08/2006 11:26 AM, Kurt Wall wrote:
> > Someone is trying really lamely to break into my box using a dictionary
> > attack. I have 2280 of these in my logs:
> >
> > sshd[24079]: Invalid user patrick from 220.163.44.81
> > sshd[24083]: Invalid user patrick from 220.163.44.81
> > sshd[25460]: Invalid user fluffy from 202.142.105.78
> > sshd[25464]: Invalid user admin from 202.142.105.78
> >
> > And 2504 of these:
> >
> > sshd[24075]: Failed password for nobody from 220.163.44.81 port 49155 ssh2
> > sshd[24079]: Failed password for invalid user patrick from 220.163.44.81 port 49195 ssh2
> > sshd[24083]: Failed password for invalid user patrick from 220.163.44.81 port 49225 ssh2
> >
> > But only 270 of these:
> >
> > sshd[6667]: Address 195.226.181.130 maps to www.vipbusiness.de, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> > sshd[6695]: Address 195.226.181.130 maps to www.vipbusiness.de, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> > sshd[6731]: Address 195.226.181.130 maps to www.vipbusiness.de, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> >
> > Jerks. Children.
> >
> > Kurt
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> L. Friedman                                    netllama at linux-sxs.org
> LlamaLand                               http://netllama.linux-sxs.org
>
>   12:10:01 up 1 day,  2:49,  1 user,  load average: 0.00, 0.00, 0.00
> _______________________________________________
> Linux-users mailing list ( Linux-users at linux-sxs.org )
> Unsub/Password/Etc: http://mail.linux-sxs.org/cgi-bin/mailman/listinfo/linux-users
>
> Need to chat further on this subject? Check out #linux-users on irc.linux-sxs.org !
>


--
Ken Leyba
"I think you're the opposite of a paranoid. I think you go around with
the insane delusion that people like you."-Harry Block, Deconstructing
Harry

More information about the Linux-users mailing list