Unauthorized access response 1

[rouse01]

A remote is trying to gain access to my linux server via ssh, which is open behind my router.
Checking my security log, I see a run of "input_userauth_request: illegal user BLA": where BLA
is either root, admin, user, etc. The logins fail so far.

I'd like to send a message to the perp (not a ping -f), but am getting to the point where I might not care what the repercussion, since this is only my home network.

Anyway, I nmap -P0 the remote and get:

Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap2
199/tcp open smux
443/tcp open https
445/tcp filtered microsoft-ds
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

So there looks like possibilities, but I'd like to hear what you might recommend.

I've not yet tried to login to the obvious ftp, telnet or web server. I'd like to hit his lousy pop or imap and send a note to the root.

Please let me know what you'd do.

Thanks - Keith

 

[ericbrunson]

I'd block his IP address at the router.

 

[rouse01]

Yeah, that'd be politicaly correct. I'd rather put a smart flick to his ear!

I understand that a lot of these "input_userauth_request" come from overseas. Also a 'Bye Bye" signature is usual when connection is dropped.

My hope is that the remote has been hacked & the owner doesn't know what's going out on his ip. That the case - send him a note.

So, if I can't manually... is there a way to configure my server to post some foreboding message to the following probe? (I'm not obfuscating the source address):
Sep 27 16:34:33 linux sshd[22634]: pam_smb: Incorrect NT password for username : NOUSER
Sep 27 16:34:35 linux sshd[22634]: Failed password for illegal user admin from 203.146.102.54 port 47273 ssh2
Sep 27 16:34:35 linux sshd[22634]: Received disconnect from 203.146.102.54: 11: Bye Bye
Sep 27 16:34:38 linux sshd[22636]: input_userauth_request: illegal user user
Sep 27 16:34:38 linux sshd[22636]: Could not reverse map address 203.146.102.54.
Sep 27 16:34:38 linux sshd[22636]: pam_smb: Incorrect NT password for username : NOUSER
Sep 27 16:34:40 linux sshd[22636]: Failed password for illegal user user from 203.146.102.54 port 47406 ssh2
Sep 27 16:34:40 linux sshd[22636]: Received disconnect from 203.146.102.54: 11: Bye Bye
Sep 27 16:34:43 linux sshd[22638]: Could not reverse map address 203.146.102.54.
Sep 27 16:34:43 linux sshd[22638]: pam_smb: Incorrect NT password for username : root
Sep 27 16:34:45 linux sshd[22638]: Failed password for root from 203.146.102.54 port 47540 ssh2
Sep 27 16:34:46 linux sshd[22638]: Received disconnect from 203.146.102.54: 11: Bye Bye
Sep 27 16:34:48 linux sshd[22640]: Could not reverse map address 203.146.102.54.
Sep 27 16:34:48 linux sshd[22640]: pam_smb: Incorrect NT password for username : root
Sep 27 16:34:51 linux sshd[22640]: Failed password for root from 203.146.102.54 port 47685 ssh2
Sep 27 16:34:51 linux sshd[22640]: Received disconnect from 203.146.102.54: 11: Bye Bye
Sep 27 16:34:53 linux sshd[22642]: Could not reverse map address 203.146.102.54.
Sep 27 16:34:53 linux sshd[22642]: pam_smb: Incorrect NT password for username : root
Sep 27 16:34:56 linux sshd[22642]: Failed password for root from 203.146.102.54 port 47823 ssh2
Sep 27 16:34:56 linux sshd[22642]: Received disconnect from 203.146.102.54: 11: Bye Bye
Sep 27 16:34:58 linux sshd[22644]: input_userauth_request: illegal user test
Sep 27 16:34:58 linux sshd[22644]: Could not reverse map address 203.146.102.54.
Sep 27 16:34:58 linux sshd[22644]: pam_smb: Incorrect NT password for username : NOUSER
Sep 27 16:35:01 linux sshd[22644]: Failed password for illegal user test from 203.146.102.54 port 47958 ssh2
Sep 27 16:35:01 linux sshd[22644]: Received disconnect from 203.146.102.54: 11: Bye Bye

Keith

 

[stefanwagner]

According to whois it's an adress in Bangkok (th).

Is it trying to connect to you repeatedly?

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[rouse01]

Stefanwagner - No. That ip shows up only once in my serure log files (going back one month), but there are many log entries with the same footprint. Obviously a script attack & the machine(s) must be compromised. If I knew for sure that the attack was coming from the cat behind THAT keyboard, I'd send him the ping of death each morning before I left for work.

I'm looking for a way to directly notify the owner that his system has a hole that needs plugging. Is it possible to telnet into one of mail ports & post a message to the root account without knowing for sure the account name?

Thanks for responding - Keith

 

[stefanwagner]

Perhaps you can send to 'postmaster@machine.domain'; don't know if 'postmaster' is a commonly used default or standard.

Or you send a mail to domaster@loxinfo.co.th (whois: 203.146.0.0 - 203.146.255.255: e-mail)
or abuse@loxinfo.co.th, and ask for help, together with time and IP of the attacker.

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[marsd]

This stuff is normal. Ignore them..Null route them or
write a review script that adds addresses to your iptables rules based on frequency/severity if you trust the source
addresses are legitimate. I wouldn't.
If you are allowing public access from the internet to
machines on your internal network you had best rethink
that policy. Think VPN and explicit allows with a policy
of DROP. My .02 cents.

 

[scottRen]

back up a linux server RH9 on to a bigger hardrive, i kinda want to "clone" the machine onto a new machine of identicle components with just a bigger hard drive, the machine is used for
mail server,ftp and web hosting