Log di sicurezza strano [Archivio] - Hardware Upgrade Forum

Innominato

24-09-2005, 00:02

Ecco parte del log di sistema mi devo preoccupare?

Sep 20 07:44:46 localhost sshd[6731]: Did not receive identification string from ::ffff:200.55.216.151
Sep 20 07:49:38 localhost sshd[6732]: Failed password for root from ::ffff:200.55.216.151 port 56974 ssh2
Sep 20 07:49:44 localhost sshd[6734]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:49:47 localhost sshd[6734]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 58735 ssh2
Sep 20 07:49:54 localhost sshd[6736]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:49:57 localhost sshd[6736]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 60710 ssh2
Sep 20 07:50:02 localhost sshd[6738]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:05 localhost sshd[6738]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 34484 ssh2
Sep 20 07:50:10 localhost sshd[6740]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:13 localhost sshd[6740]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 35996 ssh2
Sep 20 07:50:20 localhost sshd[6742]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:22 localhost sshd[6742]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 37345 ssh2
Sep 20 07:50:27 localhost sshd[6744]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:30 localhost sshd[6744]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 39300 ssh2
Sep 20 07:50:35 localhost sshd[6746]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:38 localhost sshd[6746]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 40704 ssh2
Sep 20 07:50:43 localhost sshd[6748]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:46 localhost sshd[6748]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 42168 ssh2
Sep 20 07:50:52 localhost sshd[6750]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:50:55 localhost sshd[6750]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 43849 ssh2
Sep 20 07:51:01 localhost sshd[6752]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:04 localhost sshd[6752]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 45445 ssh2
Sep 20 07:51:09 localhost sshd[6754]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:12 localhost sshd[6754]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 47048 ssh2
Sep 20 07:51:17 localhost sshd[6756]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:20 localhost sshd[6756]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 48670 ssh2
Sep 20 07:51:25 localhost sshd[6758]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:28 localhost sshd[6758]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 50020 ssh2
Sep 20 07:51:33 localhost sshd[6760]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:36 localhost sshd[6760]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 51481 ssh2
Sep 20 07:51:42 localhost sshd[6762]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:45 localhost sshd[6762]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 52959 ssh2
Sep 20 07:51:51 localhost sshd[6764]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:51:53 localhost sshd[6764]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 54580 ssh2
Sep 20 07:51:59 localhost sshd[6766]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:52:02 localhost sshd[6766]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 56070 ssh2
Sep 20 07:52:07 localhost sshd[6768]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:52:10 localhost sshd[6768]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 57773 ssh2
Sep 20 07:52:16 localhost sshd[6770]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:52:18 localhost sshd[6770]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 59223 ssh2
Sep 20 07:52:23 localhost sshd[6772]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:52:25 localhost sshd[6772]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 60645 ssh2
Sep 20 07:52:33 localhost sshd[6774]: Illegal user admin from ::ffff:200.55.216.151
Sep 20 07:52:36 localhost sshd[6774]: Failed password for illegal user admin from ::ffff:200.55.216.151 port 33661 ssh2
Sep 20 09:35:00 localhost sshd[1672]: Received signal 15; terminating.
Sep 20 13:16:40 localhost sshd[1671]: Server listening on :: port 22.
Sep 20 13:16:40 localhost sshd[1671]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Sep 20 13:17:11 localhost kdm: :0[2021]: pam_succeed_if: requirement "uid < 100" not met by user "alberto"
Sep 23 20:10:43 localhost sshd[1671]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

Innominato

24-09-2005, 00:20

intanto ho disattivato ssh

LiLL0

24-09-2005, 10:51

sono programmi automatici di port scan che cercano di accedere a vari protocolli ssh ftp ect.. usando degli user e password comuni

Innominato

24-09-2005, 11:03

E cosa si può fare?

stefanoxjx

24-09-2005, 11:24

Di attacchi simili, ne ho ogni giorno file interminabili.
Bisognerebbe trovare il sistema di dire a iptables che dopo 3-4-5 tentativi di accesso da parte dello stesso ip, lo blocchi per x tempo.
Purtroppo io non l'ho ancora trovato.

riaw

24-09-2005, 15:35

Di attacchi simili, ne ho ogni giorno file interminabili.
Bisognerebbe trovare il sistema di dire a iptables che dopo 3-4-5 tentativi di accesso da parte dello stesso ip, lo blocchi per x tempo.
Purtroppo io non l'ho ancora trovato.

tarpit ?

stefanoxjx

24-09-2005, 16:21

tarpit ?

Non l'ho mai sentito nominare, appena ho un attimo faccio delle ricerche.
Grazie.

riaw

24-09-2005, 16:30

Non l'ho mai sentito nominare, appena ho un attimo faccio delle ricerche.
Grazie.

è un modulo per iptables.
se non ho capito male, invece che come opzione usare drop, usi tarpit, e la chiamata da quell'ip viene messa in sospeso per un tempo massimo di 30 minuti.
ideale per chi tenta di fare un portscan, gli porta via qualche giornata :)

_YTS_

24-09-2005, 16:44

nah....
non usare il tarpit per l'ssh..
o queste, ma potresti introdurre un semi-dos:

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m recent --update --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport ssh --tcp-flags syn,ack,rst syn -m recent --set -j ACCEPT

oppure uno script tipo quello di ssh_block o tipo questo:

http://www.sikurezza.org/ml/06_05/msg00073.html

cmq il mio consiglio è di hardenizzare il demone sshd... con questo voglio dire di disabilitare il login remoto da root, la porta in listening e altre cosucce interessanti.

byez

_YTS_

24-09-2005, 20:38

questo è quello che volevo postare...

http://www.pettingers.org/code/SSHBlack.html

non so se funzia ma credo di si

ciao

Al Azif

25-09-2005, 12:34

http://security.linux.com/article.pl?sid=05/09/15/1655234&from=rss

edivad82

25-09-2005, 12:44

basterebbe anche usare il port knocking ;)