|
|||||||
|
|
|
 |
|
|
Strumenti |
12-11-2004, 18:11
|
#1 |
|
Senior Member
Iscritto dal: Oct 2001
Città: Milano
Messaggi: 256
|
aiuto...ci stanno provando?
Ciao a tutti,
oggi guardando auth.log mi sono accorto che ci sono una miriade ti tentativi di login tramite ssh non andati a buon fine da utenti che non esistono...è qualcuno che ci sta provando? Mi sto sinceramente preoccupando perchè la cosa è iniziata 5 giorni fa e sta continuando... vi posto un pezzo del log... AIUTO!!! Codice:
Nov 7 20:09:17 master sshd[14684]: Invalid user admin from ::ffff:81.176.184.20 Nov 7 20:09:17 master sshd[14684]: error: Could not get shadow information for NOUSER Nov 7 20:09:17 master sshd[14684]: Failed password for invalid user admin from ::ffff:81.176.184.20 port 49515 ssh2 Nov 7 20:09:18 master sshd[14686]: Invalid user user from ::ffff:81.176.184.20 Nov 7 20:09:18 master sshd[14686]: error: Could not get shadow information for NOUSER Nov 7 20:09:18 master sshd[14686]: Failed password for invalid user user from ::ffff:81.176.184.20 port 49554 ssh2 Nov 7 20:09:19 master sshd[14688]: Failed password for root from ::ffff:81.176.184.20 port 49600 ssh2 Nov 7 20:09:20 master sshd[14690]: Failed password for root from ::ffff:81.176.184.20 port 49634 ssh2 Nov 7 20:09:21 master sshd[14692]: Failed password for root from ::ffff:81.176.184.20 port 49677 ssh2 Nov 7 20:09:22 master sshd[14694]: Invalid user test from ::ffff:81.176.184.20 Nov 7 20:09:22 master sshd[14694]: error: Could not get shadow information for NOUSER Nov 7 20:09:22 master sshd[14694]: Failed password for invalid user test from ::ffff:81.176.184.20 port 49717 ssh2 Nov 7 20:09:26 master sshd[14696]: Invalid user test from ::ffff:81.176.184.20 Nov 7 20:09:26 master sshd[14696]: error: Could not get shadow information for NOUSER Nov 7 20:09:26 master sshd[14696]: Failed password for invalid user test from ::ffff:81.176.184.20 port 49773 ssh2 Nov 7 20:09:27 master sshd[14698]: Invalid user test from ::ffff:81.176.184.20 Nov 7 20:09:27 master sshd[14698]: error: Could not get shadow information for NOUSER Nov 7 20:09:27 master sshd[14698]: Failed password for invalid user test from ::ffff:81.176.184.20 port 49926 ssh2 Nov 7 20:09:28 master sshd[14700]: Invalid user test from ::ffff:81.176.184.20 Nov 7 20:09:28 master sshd[14700]: error: Could not get shadow information for NOUSER Nov 7 20:09:28 master sshd[14700]: Failed password for invalid user test from ::ffff:81.176.184.20 port 49978 ssh2 Nov 7 20:09:29 master sshd[14702]: Failed password for root from ::ffff:81.176.184.20 port 50018 ssh2 Nov 7 20:09:30 master sshd[14704]: Failed password for root from ::ffff:81.176.184.20 port 50070 ssh2 Nov 7 20:09:31 master sshd[14706]: Failed password for root from ::ffff:81.176.184.20 port 50105 ssh2 Nov 7 20:09:41 master sshd[14708]: Failed password for root from ::ffff:81.176.184.20 port 50139 ssh2 Nov 7 21:25:13 master sshd[14723]: Invalid user test from ::ffff:81.176.184.20 Nov 7 21:25:13 master sshd[14723]: error: Could not get shadow information for NOUSER Nov 7 21:25:13 master sshd[14723]: Failed password for invalid user test from ::ffff:81.176.184.20 port 34701 ssh2 Nov 7 21:25:14 master sshd[14725]: Invalid user guest from ::ffff:81.176.184.20 Nov 7 21:25:14 master sshd[14725]: error: Could not get shadow information for NOUSER Nov 7 21:25:14 master sshd[14725]: Failed password for invalid user guest from ::ffff:81.176.184.20 port 34744 ssh2 Nov 7 21:25:15 master sshd[14727]: Invalid user admin from ::ffff:81.176.184.20 Nov 7 21:25:15 master sshd[14727]: error: Could not get shadow information for NOUSER Nov 7 21:25:15 master sshd[14727]: Failed password for invalid user admin from ::ffff:81.176.184.20 port 34797 ssh2 Nov 7 21:25:16 master sshd[14729]: Invalid user admin from ::ffff:81.176.184.20 Nov 7 21:25:16 master sshd[14729]: error: Could not get shadow information for NOUSER Nov 7 21:25:16 master sshd[14729]: Failed password for invalid user admin from ::ffff:81.176.184.20 port 34840 ssh2 Nov 7 21:25:18 master sshd[14731]: Invalid user user from ::ffff:81.176.184.20 Nov 7 21:25:18 master sshd[14731]: error: Could not get shadow information for NOUSER Nov 7 21:25:18 master sshd[14731]: Failed password for invalid user user from ::ffff:81.176.184.20 port 34888 ssh2 Nov 7 21:25:19 master sshd[14733]: Failed password for root from ::ffff:81.176.184.20 port 34951 ssh2 Nov 7 21:25:20 master sshd[14735]: Failed password for root from ::ffff:81.176.184.20 port 34987 ssh2 Nov 7 21:25:21 master sshd[14737]: Failed password for root from ::ffff:81.176.184.20 port 35019 ssh2 Nov 7 21:25:22 master sshd[14739]: Invalid user test from ::ffff:81.176.184.20 Nov 7 21:25:22 master sshd[14739]: error: Could not get shadow information for NOUSER Nov 7 21:25:22 master sshd[14739]: Failed password for invalid user test from ::ffff:81.176.184.20 port
__________________
|
|
|
|
12-11-2004, 18:57
|
#2 |
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
Anch'io ne ho tonnellate di log del genere....
Spero tu abbia disabilitato l'accesso da root tramite ssh e le password degli utenti normali siano "sicure"! Ciao!
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
|
|
|
|
12-11-2004, 19:02
|
#3 |
|
Senior Member
Iscritto dal: Oct 2001
Città: Milano
Messaggi: 256
|
si per quello sono abbastanza tranquillo...da remoto root non si può collegare e gli users hanno una pass di almeno 8 char....nella norma direi...
speriamo bene!
__________________
|
|
|
|
|
12-11-2004, 19:33
|
#4 |
|
Senior Member
Iscritto dal: Apr 2000
Città: Roma
Messaggi: 15625
|
Decisamente, ci hanno provato E anche con una certa insistenza, direi. Forse con qualche script.
__________________
0: or %edi, %ecx; adc %eax, (%edx); popf; je 0b-22; pop %ebx; fadds 0x56(%ecx); lds 0x56(%ebx), %esp; mov %al, %al andeqs pc, r1, #147456; blpl 0xff8dd280; ldrgtb r4, [r6, #-472]; addgt r5, r8, r3, ror #12 |
|
|
|
|
12-11-2004, 19:54
|
#5 | |
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
Quote:
io ho circa una decina di macchine connesse in rete con accesso ssh (di solito o firewall o server vari che devo amministrare da remoto) e su tutte mi sono trovato log del genere... direi che sono script... di solito provano a loggarsi come: root, user, guest, admin ,test, nobody, patrick inoltre se provi a spostare la porta di ssh i vari "attacchi" si fermano (quindi presumo che se non trovano la 22 aperta nemmeno ci provano)... Mi sa che provo a farmi un bel port knocking cosi la 22 sembra sempre chiusa! Ciao!
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
|
|
|
|
|
12-11-2004, 23:12
|
#6 |
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
Ho provato questo:
http://www.zeroflux.org/knock/ in questa maniera ad uno scan delle porte risulta che la 22 e' chiusa... ma basta bussare bene e la porta si apre (solo per l'ip che bussa! Mi sa che lo installo ovunque..... a meno di controindicazioni (ho dovuto cambiare un attimo il firewall... ma niente di drastico) gravi... Ciao!
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
|
|
|
|
12-11-2004, 23:21
|
#7 |
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
Ecco cosa usano per provare a trovare server ssh con password "deboli":
http://www.k-otik.com/exploits/08202004.brutessh2.c.php Ciao!
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 20:38.
