Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hackers knocking at my door.

Status
Not open for further replies.
datadan

datadan

IS-IT--Management
Jul 22, 2002
283
US
Every night I get thousands of attempts to access my server illegally. The names start with a and go through z and root is tried hundreds of times. The IP traffic is from foreign sources or ISPs. (yes telnet is off) I only allow two users SSH access in the sshd_config AllowUsers and disallow root ssh altogether. Can I restrict ssh access to specific IP ranges? What is the syntax? Can I configure server to not allow ssh access for x# minutes after y# of failed attempts? Also is there anything else I should harden things up? Thanks,



<snip>
sshd:
Invalid Users:
Unknown Account: 3779 Time(s)
Authentication Failures:
unknown (61.108.35.250 ): 2181 Time(s)
unknown (ool-43570400.dyn.optonline.net ): 23 Time(s)
unknown (83.97.100.178 ): 1215 Time(s)
unknown (220.64.74.55 ): 107 Time(s)
unknown (222.96.154.133 ): 135 Time(s)
unknown (82-78-123-33.rdsnet.ro ): 3 Time(s)
unknown (82.78.123.33 ): 115 Time(s)
</snip>
 
Sort by date Sort by votes
What type of router are you using? If it's Cisco, what is the ACL set to, if anything?

Iolair MacWalter
 
Upvote 0 Downvote
You'd do that at the firewall. If you don't have one, then shame on you, but the router can do it as iolair mentioned.

As a last resort you could put the ACL on the server itself. Research "iptables" or "linux firewall"
 
Upvote 0 Downvote
I had a problem with that for several months.

For each of the most egregious cases, I would report the problem to the abuse contact for the registered network on which the hacking machine resides. My emails to these folk generally consist of a summary of the incident and a excerpt from my logs which shows the problem in detail. I would also make sure to tell the abuse admin my time offset from UTC so he/she could track the activity back to their users.

You can get network information through whois queries at ARIN ( or its counterparts around the world (see to find those counterparts).

I would then configure my Cisco PIX border firewall and the firewall in the Linux kernel both (belt and suspenders) to deny access from those entire networks.

I don't know if it's coincidence or if the hackers share information, but after I reported and blocked 5 or 6 of the most egregious hackers, the incidents of login attempts fell off dramatically. I do know that a lot of the hacking sweeps I saw originate in university networks around the world.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
I would email to the abuse-adresses of:

unknown (61.108.35.250 ): 2181 Time(s)
unknown (83.97.100.178 ): 1215 Time(s)

too.

/etc/ssh/sshd_config
has an entry: ListenAdress
perhaps that helps.

The files
/etc/hosts.allow
/etc/hosts.deny
work together with services, specified in inetd AFAIK, and should help there.

seeking a job as java-programmer in Berlin:
 
Upvote 0 Downvote
I just looked up 61.108.35.250. According to APNIC, that IP address falls into a network registered to an elementary school in Kyongnam, Korea. I've had this kind of stuff come from university networks, but not an elementary school network.


I don't bother with hosts.allow or hosts.deny. I just configure iptables to drop all packets from an offending network.




Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
First thing you can do is not be pingable. That'll essentially hide your server from basic script kiddies.

-Haben sie fosforos?
-No tiengo caballero, but I have un briquet.
 
Upvote 0 Downvote
I agree with Trevoke. I was being attacked on my ssh server and since we made the change to not be pingable most of the attacks have stopped. I have gone the route in the past and reported the IP's to both my ISP and to the IP's owners. Most do not care.

 
Upvote 0 Downvote
Consider 3 teirs:
- Hardware firewall with only the ports you use open
- IPTables set to disallow contact on any port from any computer that cannot be trusted (adjust down from here, esp. fif webserver is involved).
- Don't run a telnet service, keep that port blocked, run SSH on a non-standard port. And even in the ssh config be ery spesific who it lets on from where.

Remember: Never let root login remotely -- if you need root access from a remote location ssh as a user and then su to root (requires extra password), sshd should be running as the ssh user or nobody.

We used to have a huge list like yours, then we added the few extra hoops and we almost never see anyone knocking on the door.

[plug=shameless]
[/plug]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
188
spamjim
spamjim
Anointedone
  • Locked
  • Question
Mysql prefix table name
Replies
1
Views
103
spamjim
spamjim
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
123
spamjim
spamjim
cmayo
  • Locked
  • Question
WGET is getting my IP blocked on remote server - how to avoid rapid reconnections?
Replies
6
Views
193
cmayo
cmayo
3ds
  • Locked
  • Question
How to access my Apex application as a website
Replies
3
Views
188
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top