[Intrusions] brute force attack - tcp wrappers and iptables not helping?
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Fri Apr 22 15:11:40 GMT 2005
For the last year, there have been continual probes for open ssh ports.
They have not been subtle. It is not unusual to see several hundred
different root passwords being attempted on a single pass.
Most of the scans have been from the People's Republic of China including
the former colonies of Hong Kong and Macao. With the Republic of South
Korea and Brazil being next in the list of offenders. If you are covered
by ITAR, handling China is easy. Just block the entire CIDR block that
covers the IP address of the miscreant at your firewall.
On the systems in question, I suspect that you have sshd running and
sshd_conf isn't configured with IP address restrictions. Tcpwrappers
wouldn't, necessarily, be called.
Merton Campbell Crockett
On Thu, 21 Apr 2005, Susanne Hemker wrote:
> Hi everybody,
>
> somebody is trying to break into one of out workstations.
> The /var/log/secure contains lots of:
>
> Failed password for invalid user $name from ::ffff:$IP port $port
> ssh2
>
> from different IPs, ports and usernames.
>
> Since the tcp wrappers and the iptables should not allow ssh login from
>
> any host outside our lab, I am wondering how he/she even got to the
> login. Any suggestions?
>
> Thanks,
>
> Susanne
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
More information about the Intrusions
mailing list