In my /var/log/messages I have a lot (6000+) of:

Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92

what is it? I need to write to something like abuse@72.3.243.92 ?

repo@cannabis:~$ whois 72.3.243.92 | grep abuse
RAbuseEmail: abuse@rackspace.com
OrgAbuseEmail: abuse@rackspace.com
repo@cannabis:~$



* gtu2003@alice.it :
> In my /var/log/messages I have a lot (6000+) of:
>
> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
> Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
> Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
> Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
> Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
> Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
> Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
> Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
> Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
> Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
> Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92
>
> what is it? I need to write to something like abuse@72.3.243.92 ?
>


--
Chaos, panic & disorder - my work here is done
http://beginnerslinux.org

Hallo,

Op woensdag 16 juli 2008 schreef gtu2003@alice.it aan All:


gt> In my /var/log/messages I have a lot (6000+) of:

gt> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from

gt> what is it? I need to write to something like abuse@72.3.243.92
gt> ?

Obviously somebody is trying to force an ssh login on your machine, no
doubt with the purpose to de something nasty.
Disconnect your system from the internet immediately, at once and now
until you are ready!
I doubt if writing to abuse@72.3.243.92 will have any effect. Most
likely he is the same as the culprit.
Check your log files to see if anybody get in already.
Run a rootkit checker to see if any harm was doen. If there was any,
best format that partition and do a fresh install. Don't use your
backups, becasue you don't know if they have been infected.
Switch off you sshd server if you don't really need it.
In the /etc/hosts.deny put a line like
ALL: ALL
to stop access to all services for everybody.
Put a line in /etc/hosts.allow like
ALL: 192.168.178.0/255.255.255.0, 127.0.0.0/255.0.0.0
to allow for addresses on your local network (obviously you have to
pt your own addresses there).
Add lines to your iptables like
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p udp --dport 22 -j DROP
to stop all external access to tcp and udp ports 22 (ssh).
When you're satisfied that everything is allright, connect to the
internet again.

Good luck!

Groeten,

Hans.

jdh punt beekhuizen bij duinheks punt nl

gtu2003@alice.it writes:

>In my /var/log/messages I have a lot (6000+) of:

>Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
>Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
>Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
>Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
>Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
>Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
>Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
>Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
>Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
>Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
>Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92

There are ssh password attacks on your system-- trying to see if any of
your users ( or any users) have weak passwords.
Ban this IP address from your system by placing the address into a line
like

sshd: 72.3.243.92 :deny

Do that before any sshd line giving universal permission, and after a line
giving special sites permission.

sshd: 199.99.99.99 199.222.111. :allow
sshd: 72.3.243.92 :deny
sshd: ALL :allow

This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
This is to make sure that noone accidentally from your special list ends up
in the deny line ( it is always the first line which matches which applies)


>what is it? I need to write to something like abuse@72.3.243.92 ?

You can try. It probably will not do any good. I now have 140 IP addresses
in my hosts.allow file who are banned from my site for behaviour like this.

"Johannes Beekhuizen" writes:

>Hallo,

>Op woensdag 16 juli 2008 schreef gtu2003@alice.it aan All:


> gt> In my /var/log/messages I have a lot (6000+) of:

> gt> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from

> gt> what is it? I need to write to something like abuse@72.3.243.92
> gt> ?

>Obviously somebody is trying to force an ssh login on your machine, no
>doubt with the purpose to de something nasty.
>Disconnect your system from the internet immediately, at once and now
>until you are ready!

And "ready" means what? How should he be "ready"? He cannot prevent such
sshd attacks. They are common.


>I doubt if writing to abuse@72.3.243.92 will have any effect. Most
>likely he is the same as the culprit.
>Check your log files to see if anybody get in already.
>Run a rootkit checker to see if any harm was doen. If there was any,
>best format that partition and do a fresh install. Don't use your
>backups, becasue you don't know if they have been infected.
>Switch off you sshd server if you don't really need it.
>In the /etc/hosts.deny put a line like
>ALL: ALL
>to stop access to all services for everybody.
>Put a line in /etc/hosts.allow like
>ALL: 192.168.178.0/255.255.255.0, 127.0.0.0/255.0.0.0
>to allow for addresses on your local network (obviously you have to
>pt your own addresses there).
>Add lines to your iptables like
>iptables -A INPUT -p tcp --dport 22 -j DROP
>iptables -A INPUT -p udp --dport 22 -j DROP
>to stop all external access to tcp and udp ports 22 (ssh).
>When you're satisfied that everything is allright, connect to the
>internet again.

And if he actually needs ssh? This is just silly advice in general. ssh is
one of the most secure ways of connecting in to a machine. IF he never
intends to connect in from outside, then of course switch off ssh. But if
he ever travels, that is a bad idea.

On Wed, 16 Jul 2008 14:39:30 GMT, Unruh wrote:
> There are ssh password attacks on your system-- trying to see if any of
> your users ( or any users) have weak passwords.
> Ban this IP address from your system by placing the address into a line
> like
>
> sshd: 72.3.243.92 :deny
>
> Do that before any sshd line giving universal permission, and after a line
> giving special sites permission.
>
> sshd: 199.99.99.99 199.222.111. :allow
> sshd: 72.3.243.92 :deny
> sshd: ALL :allow
>
> This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
> 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
> This is to make sure that noone accidentally from your special list ends up
> in the deny line ( it is always the first line which matches which applies)

And for anyone wondering where those lines might go, it would be
in /etc/hosts.allow if tcpwrappers is installed.

If using /etc/hosts.allow, I'll recommend creating /etc/hosts.deny with

#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!


ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************


That will email root with a message about attempts which get by hosts.allow.

Unruh wrote:

> gtu2003@alice.it writes:
>
>>In my /var/log/messages I have a lot (6000+) of:
>
>>Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
>>Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
>>Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
>>Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
>>Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
>>Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
>>Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
>>Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
>>Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
>>Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
>>Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92
>
> There are ssh password attacks on your system-- trying to see if any of
> your users ( or any users) have weak passwords.
> Ban this IP address from your system by placing the address into a line
> like
>
> sshd: 72.3.243.92 :deny
>
> Do that before any sshd line giving universal permission, and after a line
> giving special sites permission.
>
> sshd: 199.99.99.99 199.222.111. :allow
> sshd: 72.3.243.92 :deny
> sshd: ALL :allow
>
> This allows anyone from 199.99.99.99 and from the network 199.222.111.0
> to 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone
> else. This is to make sure that noone accidentally from your special list
> ends up in the deny line ( it is always the first line which matches which
> applies)
>
>
>>what is it? I need to write to something like abuse@72.3.243.92 ?
>
> You can try. It probably will not do any good. I now have 140 IP addresses
> in my hosts.allow file who are banned from my site for behaviour like
> this.

Thank you very much. Someone know a simple script that do the follow:
* watch in the logs
* if there is a lot of invalid access from an Ip it block only this ip for an hour

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

gtu2003@alice.it escribió:

| Thank you very much. Someone know a simple script that do the follow:
| * watch in the logs
| * if there is a lot of invalid access from an Ip it block only this ip
for an hour

What is DenyHosts?
DenyHosts is a script intended to be run by Linux system administrators
to help thwart SSH server attacks (also known as dictionary based
attacks and brute force attacks).

http://denyhosts.sourceforge.net/


- --
Un saludo
Alo [alo(@)uk2.net]
PGP en http://pgp.eteo.mondragon.edu [Get "0xF6695A61 "]
Usuario registrado Linux #276144 [http://counter.li.org]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiA+bUACgkQvzPPcPZpWmEz/gCfTpQfcPXeAxyofj7ax4bour9Z
pUgAnjzm9tatmmx5m/7Zn0cwK5TlUn29
=AcnO
-----END PGP SIGNATURE-----

On Fri, 18 Jul 2008 21:28:11 +0200, gtu2003 wrote:

> Thank you very much. Someone know a simple script that do the follow: *
> watch in the logs
> * if there is a lot of invalid access from an Ip it block only this ip
> for an hour

sshguard

--
Chaos, panic & disorder - my work here is done
http://beginnerslinux.org

Unruh writes:


>>what is it? I need to write to something like abuse@72.3.243.92 ?
>
> You can try. It probably will not do any good. I now have 140 IP addresses
> in my hosts.allow file who are banned from my site for behaviour like this.

I had a 12-minute long brute-force attack once. It filled my logs. I
was pissed. I wrote the ISP in question. They wrote back and said they
term'ed the guy's account.

Writing a level-headed, relevent-info-containing abuse report with GMT
timestamps and actual log files will many times yield results. Many
times they won't report back that they did something, so you can't
take no response back as a solid indicator that nothing was done. Keep
the language simple and sweet, as you might be dealing with someone
that doesn't speak your language.

With ssh keys and really cheap USB storage units these days, there are
really few reasons to use any remote password logins to your
system. They can't guess at passwords if you're not taking passwords



--
[** America Is A Police State **]
http://www.hermes-press.com/police_state.htm
http://www.theregister.co.uk/2008/01..._nsa_internal/
http://www.wired.com/politics/securi...007/08/wiretap
http://www.privacyinternational.org/...D=x-347-559597
AT&T Betrays America: http://www.eff.org/nsa/hepting

repo already pointed that the ip belongs to rackspace just mail them.
AFAIK they are a reputable company that won't let this thing go
unpunished.

>repo@cannabis:~$ whois 72.3.243.92 | grep abuse
>RAbuseEmail: abuse@rackspace.com
>OrgAbuseEmail: abuse@rackspace.com
>repo@cannabis:~$

--
Nurullah Akkaya

Bit Twister wrote:

> On Wed, 16 Jul 2008 14:39:30 GMT, Unruh wrote:
>> There are ssh password attacks on your system-- trying to see if any of
>> your users ( or any users) have weak passwords.
>> Ban this IP address from your system by placing the address into a line
>> like
>>
>> sshd: 72.3.243.92 :deny
>>
>> Do that before any sshd line giving universal permission, and after a line
>> giving special sites permission.
>>
>> sshd: 199.99.99.99 199.222.111. :allow
>> sshd: 72.3.243.92 :deny
>> sshd: ALL :allow
>>
>> This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
>> 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
>> This is to make sure that noone accidentally from your special list ends up
>> in the deny line ( it is always the first line which matches which applies)
>
> And for anyone wondering where those lines might go, it would be
> in /etc/hosts.allow if tcpwrappers is installed.
>
> If using /etc/hosts.allow, I'll recommend creating /etc/hosts.deny with
>
> #
> # hosts.deny This file describes the names of the hosts which are
> # *not* allowed to use the local INET services, as decided
> # by the '/usr/sbin/tcpd' server.
> #
> # The portmap line is redundant, but it is left to remind you that
> # the new secure portmap uses hosts.deny and hosts.allow. In particular
> # you should know that NFS uses portmap!
>
> ALL: ALL:\
> spawn ( \
> /bin/echo -e "\n\
> TCP Wrappers\: Connection Refused\n\
> By\: $(uname -n)\n\
> Process\: %d (pid %p)\n\
> \n\
> User\: %u\n\
> Host\: %c\n\
> Date\: $(date)\n\
> " | /bin/mail -s \"$(uname -n)\" root ) & : DENY
>
> #*********************** end host.deny ********************************
>
> That will email root with a message about attempts which get by hosts.allow.

Which may result in a few thousand mails per second (if your box can
handle this).


Florian
--

-----------------------------------------------------------------------
** Hi! I'm a signature virus! Copy me into your signature, please! **
-----------------------------------------------------------------------

gtu2003@alice.it pisze:
>
> Thank you very much. Someone know a simple script that do the follow:
> * watch in the logs
> * if there is a lot of invalid access from an Ip it block only this ip for an hour

You can try fail2ban.

Good way to improve security is move ssh to high port, and drop request
on port 22.

Regards,

--
Pawel B.
botul.pl

"Paweł B." wrote:

> gtu2003@alice.it pisze:
>>
>> Thank you very much. Someone know a simple script that do the follow:
>> * watch in the logs
>> * if there is a lot of invalid access from an Ip it block only this ip for an hour
>
> You can try fail2ban.
>
> Good way to improve security is move ssh to high port, and drop
> request on port 22.

That doesn't improve security that much but at least keeps the
dumb script kiddies out and avoids cluttering your log files.

To improve security disable password authentication if that's possible
in your environment.


Florian
--

-----------------------------------------------------------------------
** Hi! I'm a signature virus! Copy me into your signature, please! **
-----------------------------------------------------------------------