Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
trap for an incoming ssh sttack
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Khumarahn
Apprentice
Apprentice


Joined: 17 Apr 2009
Posts: 199

PostPosted: Fri Feb 10, 2012 10:53 pm    Post subject: trap for an incoming ssh sttack Reply with quote

I have a machine constantly under brute force attack on ssh, like
/var/log/messages:

Feb 10 14:40:48 officehost sshd[2832]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-39082;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:49 officehost sshd[2832]: Invalid user staff from 221.233.134.15
Feb 10 14:40:50 officehost sshd[2836]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-41050;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:51 officehost sshd[2836]: Invalid user sales from 221.233.134.15
Feb 10 14:40:52 officehost sshd[2856]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-43617;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:53 officehost sshd[2856]: Invalid user recruit from 221.233.134.15
Feb 10 14:40:54 officehost sshd[2861]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-44623;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:56 officehost sshd[2861]: Invalid user alias from 221.233.134.15
Feb 10 14:40:56 officehost sshd[2866]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-47579;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:58 officehost sshd[2866]: Invalid user office from 221.233.134.15
Feb 10 14:40:59 officehost sshd[2873]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-48171;Protocol: 2.0;Client: libssh-0.1


It does not bother me, but I am wondering if it is possible to allow the attack to go through to see what attacker would do. And I would like to stay safe at the same time.

Does anybody do these things? How do I isolate the attacker in his own environment? Is it a violation of attacker's privacy to describe on the web what he's trying to do on my computer?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54096
Location: 56N 3W

PostPosted: Fri Feb 10, 2012 11:03 pm    Post subject: Reply with quote

Khumarahn,

Google for 'honeypot', which is what such a system is know as.

When you run a honeypot, you have a duty of care to the rest of the internet, so you must monitor your intruder carefully.
a) we don't want his spam
b) you don't want to be blacklisted

An intruder can get lots of use from a system without gaining root. A whois shows

Code:
whois 221.233.134.15
% [whois.apnic.net node-4]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        221.232.0.0 - 221.235.255.255
netname:        CHINANET-HB
descr:          CHINANET Hubei province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN


Unless you expect connections from 221.232.0.0/14 you might as well just DROP the whole network in your firewall.
Which leads to the question whay do't you set up your filrewall to permit just some IP ranges?
i.e. its forbidden unless its expressly permitted.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Khumarahn
Apprentice
Apprentice


Joined: 17 Apr 2009
Posts: 199

PostPosted: Fri Feb 10, 2012 11:22 pm    Post subject: Reply with quote

Thank you :-)

Having to monitor the intruder makes things complicated, it seems... I cannot just block internet for him - he won't do anything. Yet allowing him to fully use my internet connection may compromise my ip address... May be, I should give him a traffic quota? ))

I don't do firewall because attacks don't bother me - I know about them, and only a couple of users with strong passwords are allowed to login remotely.
Back to top
View user's profile Send private message
ppurka
Advocate
Advocate


Joined: 26 Dec 2004
Posts: 3256

PostPosted: Sat Feb 11, 2012 12:08 am    Post subject: Reply with quote

Try fail2ban.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using kde5 | e is unstable :-/
Back to top
View user's profile Send private message
Khumarahn
Apprentice
Apprentice


Joined: 17 Apr 2009
Posts: 199

PostPosted: Sat Feb 11, 2012 12:13 am    Post subject: Reply with quote

I use it already :-)

As I said, the attacks don't bother me (at all!)
Back to top
View user's profile Send private message
ppurka
Advocate
Advocate


Joined: 26 Dec 2004
Posts: 3256

PostPosted: Sat Feb 11, 2012 12:17 am    Post subject: Reply with quote

Khumarahn wrote:
I use it already :-)

As I said, the attacks don't bother me (at all!)
That's good. :)

The attacks might bother you when you won't be able to log in to your own machine because someone else is hammering it away! Using fail2ban is good in this case because you can try a minute or two later and by then the attacks will have stopped.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using kde5 | e is unstable :-/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum