| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8
Comments:
<0> ok this is really screwed up.
<0> like every day now i get conects to ssh trying to do what looks like a brute force attack, they use users like all the system services, root, names like fluffy, guest, admin, danny, sharon, etc...
<1> happens to everyone
<2> re vitter
<2> re Viking667
<0> looks like 4 second intervals
<0> know what script this is?
<1> i wrote me a program that watches the syslog and blocks any ip that attempts to ssh as an account that doesn't exist
<0> yea you were the one telling me about that the other day.
<0> can i use it?
<1> what distro you using?
<0> sarge
<1> hmm i think i modded it to work with debian for Alia26_
<1> let me try and find it
<3> Someone knows of a user-management-gui ?
<0> liek c-panel, webmin and the like?
<4> Redragon^: is Alia2[56] still around?
<2> Redragon^ how big is your block list now?
<0> now im using logcheck and manually adding entries
<1> 455 ips in block list on main server :)
<1> 55 days uptime
<0> i am so convinced if we blocked taiwan, korea and china 80% of this crap would go away
<4> 731 IPs after about six days here.
<5> no idea scotty are we there yet dad?
<0> Mar 29 14:55:06 abyss sshd[3851]: Failed p***word for illegal user yahoo from 64.42.104.202 port 61359 ssh2
<1> BlackNet+ http://hostingsoftware.net/extra/sshmon.tgz
<0> like i would be stupid enought to create a username called yahoo
<1> its a c program and a few things you need to do
<0> k
<1> just untar it and run make, make install
<1> but you have to specify what file to watch
<1> when you start it
<0> k.
<1> plus it must restart when logrotate rotates logs or it will loose its access to file
<4> I'm outta here again...
<0> will play with it local first before i put it on my production box
<2> Redragon^ pssst, want to share the backdoor account? :)
<1> rofl
<1> i'm not that good with c to do that LOL
<0> backdoor account? sounds kinky
<1> you start it with sshmon -l /path/to/logfile -r /path/to/reportlog
<1> the -l is the log it will watch
<0> k
<1> the -r is the log file it writes its blocks to for history purposes
<1> it just inserts a -j DROP iptables rule for input on any ssh attempt to an account that doesn't exist in the system
<0> thought it was someone over on postfix that had it.
<1> one of these days when i have time i'll write a program that uses multiple failure on any user and timed blocks but no time atm
<0> i have a host.trashcan file i made. script reads the file and blocks them
<0> i really need to rewrite it
<0> yea timed blocks would be good
<0> say 5 incorrect logins your ip is blocked for x period of time
<1> yea, only i will make it adjustable on failed attempts and time
<2> ok, so I have work for 2days and only 1day to do it in? any ideas? :)
<1> just haven't gotten around to it, so many things i have to do like migrate these hundreds of accounts to the new server...
<1> hire help :)
<6> heh
<7> Do enough work to defer the problem to another day...
<0> been extremely busy this past year myself.
<8> check out my site http://asian.devilishbabes.net
<2> .kb longbow
<2> Fiona well?
<9> doh :)
<2> why didnt fiona ban him?
<9> no idea.. I haven't tried to use Fiona for that
<1> cause x already did it
<9> x only kicked, would that stop Fiona banning?
<1> oh
<1> no idea, she asleep? bad ident on sirmaxxz ?
<9> .o
<9> she's not asleep..
<9> .o
<1> must be bad ident
<1> .o
<2> nope my ident shoudl be good
<1> she knows laptop? not something else?
<4> err, where's sshmon found?
<1> http://hostingsoftware.net/extra/sshmon.tgz
<1> feel free to hack it up if your a c person :)
<4> lol.
<1> it was written for RH based systems
<1> so it may need some adjustments on some system or spit out some errors on make install for some systems
<4> And what does it monitor? Keystrokes? X forwarding?
<1> the binary should still make and work fine on any system though
<4> cool.
<1> it monitors a designated syslog for ssh attempts on user accounts that dont exist
<4> ohhhhhh.
<1> snags the ip out of the log and inserts a -j DROP for the ip
<4> Cool.
<4> I could modify that for my own firewall.
<1> Viking667 if your a c person we can make us a little project hehe
<4> err, postgresql, rather
<7> Does it remove the -j DROP after some set period of time ?
<1> nope
<1> thats why i have 445 -j DROP on my primary server at work in 55 days
<1> well in all honesty 1 -j DROP is part of default firewall :)
<4> hrm? 445? wossat?
<4> LadyByte: port 445
<2> number four four five
<6> why wouldn't FORWARD work corectly as long as i set accept to established,related connections then accept for every ip and default policy to drop ? p2p programs stop working .. such as dc++
<2> four hundred fourty five
<1> the number of drop rules i have atm
<7> The number of lusers that tried to touch his box...
<2> :)
<4> ahhhh
<2> .touch Redragon^
<1> i have a similar program, ftpmon, that watches for scripts doing the same thing to ftp
<1> would be nice to combine the 2 and add timed iptable entries
<1> have options for what services you want to watch (cause they are usually in the same log)
<2> imho that should be a function from iptables
<1> well you can kinda
<1> you can limit connection requests from by ip
<2> i mean, iptables should be some kind of deamon
<2> that manages that stuff for you
<2> and they should offer an api that you can use
<2> like, block this ip for x hours/min
<1> well now you have something to do maxx :)
<2> i'm not a c person
<1> me either, it was tough writing sshmon :)
<1> okay which bot kiddie did we piss off this week?
<1> so how many more php exploits are gonna make providers quit supporting php :)
<10> nice evening....
<1> hiya
<10> anybody speaks german??
<1> not me
<10> all right, may my english is a little sad ;-)
<1> hell so is mine and i was born in the us.... :)
<10> i got a sign Read error: EOF from client i am still there??
<10> i see
<10> dont know the meaning of it
<1> what were you doing to get it?
<10> nothing, really nothing
<1> oh you mean with irc?
<10> sure
<1> hmm thats usually cause of interruption between the irc client and the irc server
<10> but i am still there...
<1> i really dont know about that one
<10> now i got a 'connection reset by peer
<10> is that to me?
<1> oh no thats other ppl in the channel
<5> b33r ?
<10> ok, feel better now
<3> welp, Gaia^ *burp*
<3> :)
<1> another goof gets added -j DROP hehe
<5> \!/ ____ \!/ \!/ ____ \!/
Return to
#linuxhelp
or
Go to some related
logs:
#london
supress dsget succeeded
msandryst
u+ur hands sanat
#MissKitten
#linux
+kde +nero-image +mount
#AllNiteCafe
#linux
#linuxhelp
|
|