Thread: Attempt of being hacked -- protection?
View Single Post

  #2 (permalink)  
Old 11-08-2005
Michael Paoli
 
Posts: n/a
Default Re: Attempt of being hacked -- protection?
ultimatespamheap@yahoo.com wrote:
> Yesterday evening, I noticed network traffic going over my router and
> netstat showed five parrallel ssh connections to the address
> host52.co.154.isl (different ports).
> Today, I inspected /var/log/messages and found that some guy had
> started to systematically try to login under different user names (see
> below).
> My questions now are:
> (1) How can I protect myself from such an attack? Is there a
> possibility to configure the system so that it refuses any login
> attempt for, let's say a couple of hours, when such a systematic attack
> is detected? (at least the detection part should not be too hard).
> Also, a clear message informing the user about the ongoing attack would
> have been nice.
> (2) Can/should I report this abuse to the ISP in question? How?
> (3) Are there any other security measures I should take now?
> Nov 7 20:09:25 Dtop sshd[9359]: Invalid user linux from
> ::ffff:61.63.154.52
> Nov 7 20:09:28 Dtop sshd[9361]: Invalid user unix from
> ::ffff:61.63.154.52
> Nov 7 20:09:31 Dtop sshd[9363]: Invalid user webadmin from
> ::ffff:61.63.154.52

There are various means of possible protection. Some web searches
will find many of them and discussions of them thereof, e.g.:
http://denyhosts.sourceforge.net/
There are of course also many ways to block out IPs that one doesn't
want to allow at all, or one can also configure "port knocking" or
more stealthy means of allowing only (presumably) authorized access.

Yes, you can certainly report them to the ISP ... such as find the
abuse, or most suitable contact, via whois, and send them the
relevant details (logs), including timezone information for the log
timestamps - they'll typically need to know attacked and attacking
IPs, and in many cases also both source and destination ports. You
may never know if the ISP does something useful with the information,
though - many of them will tell you little to nothing, due to
customer privacy concerns/policies, etc. Most attacking systems are
systems that have been victimized by some cracker anyway (and had
your system been cracked, it would likely be doing more of the same
type of attacking). You can also join coordinated efforts in such
regards, e.g.:
http://www.dshield.org/fightback.php
.... those can potentially be rather useful in that ISPs would get
more consolidated reports, and at least in theory, getting reports
from organizations showing lots of systems being attacked may carry
more weight with an ISP than random reports from attacked individual
systems or small groups of systems.

Unfortunately such "attacks" are rather common and frequent on the
Internet. This is yet another reason why strong passwords, locking
out unnecessary services/access, and staying quite current on security
updates/patches continue to be quite important to security.

Reply With Quote