On Sat, 29 Dec 2007 19:03:44 -0000, CptDondo wrote:
> I'm getting this in my logs. No other explanation.
>
> SSH_brute_force IN=bond0 OUT=
> MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
> DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
> SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0

My WAG, some script has decided that ip address 213.220.192.239
(r3a239.net.upc.cz) has hit your ssh port 22 enough times in X amount
of time, which might indicate it is try to guess the password for an
account on the 192.168.128.6 node.
Hence the brute_force name.

CptDondo wrote:

> I'm getting this in my logs. No other explanation.
>
> SSH_brute_force IN=bond0 OUT=
> MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
> DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
> SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0

From the results of a 'whois' command:

remarks: **********************************************
remarks: * In case of hack attacks, scans etc. please *
remarks: * send abuse notifications to: *
remarks: * abuse@mistral.cz *
remarks: **********************************************

--
Garry Knight
garryknight@gmx.net

CptDondo wrote:
> I'm getting this in my logs. No other explanation.
>
> SSH_brute_force IN=bond0 OUT=
> MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
> DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
> SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0


May I recommend installing "denyhosts"? It will keep an eye on for
example SSH brute force attacks, and add those IP's to a blacklist
(hosts.deny) after for example 5 failed login attempts.

If ubuntu linux it's as simple as "apt-get install denyhosts" - it comes
preconfigured for SSH brute force.

- Henrik