Break-in Attempts

David Bandel david.bandel
Sun Jan 8 17:01:28 PST 2006 

On 1/8/06, Kurt Wall <kwall at kurtwerks.com> wrote:
> Someone is trying really lamely to break into my box using a dictionary
> attack. I have 2280 of these in my logs:
>
> sshd[24079]: Invalid user patrick from 220.163.44.81
> sshd[24083]: Invalid user patrick from 220.163.44.81
> sshd[25460]: Invalid user fluffy from 202.142.105.78
> sshd[25464]: Invalid user admin from 202.142.105.78
>
> And 2504 of these:
>
> sshd[24075]: Failed password for nobody from 220.163.44.81 port 49155 ssh2
> sshd[24079]: Failed password for invalid user patrick from 220.163.44.81 port 49195 ssh2
> sshd[24083]: Failed password for invalid user patrick from 220.163.44.81 port 49225 ssh2
>
> But only 270 of these:
>
> sshd[6667]: Address 195.226.181.130 maps to www.vipbusiness.de, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> sshd[6695]: Address 195.226.181.130 maps to www.vipbusiness.de, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> sshd[6731]: Address 195.226.181.130 maps to www.vipbusiness.de, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
>
> Jerks. Children.
>


Old news, been going on for years.  If my automated scripts (I use a
program called fail2ban mostly) don't show several IPs blocked at any
given time, well ... (they always do, so something would be seriously
wrong).

I do, however, have two Russian netblocks permanently blocked --
69.50.160.0/19 and 85.255.112.0/20.  These two netblocks are
responsible for a _lot_ of criminal activity and are totally
unresponsive to reports of said activity.  Check SANS, they keep
lists, but the ssh attacks are from M$ zombies mostly (although many
I've identified as coming from a couple of unresponsive Romanian
netblocks).

With ISPs who protect criminals, the only thing you can do is protect
yourself.  This includes US ISPs like rr.com and others who do nothing
about M$ zombies/spam bots.

Unfortunately it will take a law to make ISPs responsible for criminal
behavior of their clients if they won't divulge who their clients are.
 Once a few ISP owners/CEOs are jailed, things will change fast, but
not until.

As an ISP, I am responsive.  _All_ reports I receive (damn few BTW),
are investigated and if true, the offender is disconnected.  Since I
service a lot of very isolated folks who can get no other service, it
works well for me.

In Nov I disconnected a web site whose webmaster put an easy password
on a system and these ssh bots broke into.  They were running another
ssh scan bot.  I killed the bot, downed the site, reported to the
owners and the webmaster was fired (I had warned them previously).  I
asked them to move their site to another ISP and they have.

Ciao,

David A. Bandel
--
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto

More information about the Linux-users mailing list