View previous topic :: View next topic |
Author |
Message |
Khumarahn Apprentice
Joined: 17 Apr 2009 Posts: 199
|
Posted: Fri Feb 10, 2012 10:53 pm Post subject: trap for an incoming ssh sttack |
|
|
I have a machine constantly under brute force attack on ssh, like
/var/log/messages: |
Feb 10 14:40:48 officehost sshd[2832]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-39082;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:49 officehost sshd[2832]: Invalid user staff from 221.233.134.15
Feb 10 14:40:50 officehost sshd[2836]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-41050;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:51 officehost sshd[2836]: Invalid user sales from 221.233.134.15
Feb 10 14:40:52 officehost sshd[2856]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-43617;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:53 officehost sshd[2856]: Invalid user recruit from 221.233.134.15
Feb 10 14:40:54 officehost sshd[2861]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-44623;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:56 officehost sshd[2861]: Invalid user alias from 221.233.134.15
Feb 10 14:40:56 officehost sshd[2866]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-47579;Protocol: 2.0;Client: libssh-0.1
Feb 10 14:40:58 officehost sshd[2866]: Invalid user office from 221.233.134.15
Feb 10 14:40:59 officehost sshd[2873]: SSH: Server;Ltype: Version;Remote: 221.233.134.15-48171;Protocol: 2.0;Client: libssh-0.1
|
It does not bother me, but I am wondering if it is possible to allow the attack to go through to see what attacker would do. And I would like to stay safe at the same time.
Does anybody do these things? How do I isolate the attacker in his own environment? Is it a violation of attacker's privacy to describe on the web what he's trying to do on my computer? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54096 Location: 56N 3W
|
Posted: Fri Feb 10, 2012 11:03 pm Post subject: |
|
|
Khumarahn,
Google for 'honeypot', which is what such a system is know as.
When you run a honeypot, you have a duty of care to the rest of the internet, so you must monitor your intruder carefully.
a) we don't want his spam
b) you don't want to be blacklisted
An intruder can get lots of use from a system without gaining root. A whois shows
Code: | whois 221.233.134.15
% [whois.apnic.net node-4]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 221.232.0.0 - 221.235.255.255
netname: CHINANET-HB
descr: CHINANET Hubei province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN |
Unless you expect connections from 221.232.0.0/14 you might as well just DROP the whole network in your firewall.
Which leads to the question whay do't you set up your filrewall to permit just some IP ranges?
i.e. its forbidden unless its expressly permitted. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Khumarahn Apprentice
Joined: 17 Apr 2009 Posts: 199
|
Posted: Fri Feb 10, 2012 11:22 pm Post subject: |
|
|
Thank you
Having to monitor the intruder makes things complicated, it seems... I cannot just block internet for him - he won't do anything. Yet allowing him to fully use my internet connection may compromise my ip address... May be, I should give him a traffic quota? ))
I don't do firewall because attacks don't bother me - I know about them, and only a couple of users with strong passwords are allowed to login remotely. |
|
Back to top |
|
|
ppurka Advocate
Joined: 26 Dec 2004 Posts: 3256
|
Posted: Sat Feb 11, 2012 12:08 am Post subject: |
|
|
Try fail2ban. _________________ emerge --quiet redefined | E17 vids: I, II | Now using kde5 | e is unstable :-/ |
|
Back to top |
|
|
Khumarahn Apprentice
Joined: 17 Apr 2009 Posts: 199
|
Posted: Sat Feb 11, 2012 12:13 am Post subject: |
|
|
I use it already
As I said, the attacks don't bother me (at all!) |
|
Back to top |
|
|
ppurka Advocate
Joined: 26 Dec 2004 Posts: 3256
|
Posted: Sat Feb 11, 2012 12:17 am Post subject: |
|
|
Khumarahn wrote: | I use it already
As I said, the attacks don't bother me (at all!) | That's good.
The attacks might bother you when you won't be able to log in to your own machine because someone else is hammering it away! Using fail2ban is good in this case because you can try a minute or two later and by then the attacks will have stopped. _________________ emerge --quiet redefined | E17 vids: I, II | Now using kde5 | e is unstable :-/ |
|
Back to top |
|
|
|