[Cialug] RE: Port blocking - and unwanted intruders.

D. Joe Anderson cialug@cialug.org
Mon, 6 Dec 2004 10:51:49 -0600 

On Mon, Dec 06, 2004 at 09:30:01AM -0600, Andrew Lietzow wrote:
> timwilson011@mchsi.com wrote:

> I have a Fedora Core 2 server running LAMP and ever since I installed it, the disk gets hit about once every three seconds.  I'd like to determine the process and/or the port.   
> 
> I think one of the suspect problems is an error in my named.conf file (my fault but haven't resolved the issue).   
> 
> This error gets logged in my /var/log/messages file, to wit:
> "lame server resolving '1.0.0.127.in-addr.arpa' ( in '0.0.127.in-addr.arpa'?): 192.228.79.201#53"

Yeah, port 53 is dns, as you can see in /etc/services.  If you
do a whois on that IP, you can see it's one of the root servers.
 
You might want to make sure you have an entry for localhost in
/etc/hosts.  At minimum, it should have this:

127.0.0.1       localhost

For a machine called "foobar" you might also put "foobar" and
"foobar.my.domain.net" and any other aliases after localhost on
this same line, space delimited.  Using your own values in place
of these example ones, of course.

> A more serious error, or so I believe is: 
> "Failed password for illegal user blue from 213.155.196.143 port 35672 ssh2"  
> I have a whole slew of these entries in the /var/log/message file and the jerk has tried to log in under many aliases, apparently from different IP's (including 210.102.183.225).   I cannot ping these addresses.  
> 
> When I do a "whois 210.102.183.225), I find a block of addresses for some University in China, maybe?   The technical contact is ygson@kwc.ac.kr and kren@snu.ac.kr at KYUNGWON College.  

.kr is South Korea:
http://www.iana.org/cctld/cctld-whois.htm#k

> Does anyone think it will do me any good to send an email to this contact to tell them that whoever is at 210.102.183.225 is being abusive?    I have added both of these IP's to my /etc/hosts.deny file thusly.  
> <ssh2:210.102.183.225 213.155.196.143>
> I'm not sure that I have the syntax correct.  

What's the worst that could happen if you do report it?  You're
already getting attacked from that site.  You might want to
create a throwaway email address to use to make the report, in
case this is a spam front, too, but otherwise the benefits
(shutting down some punk by going through proper channels) might
just pay off.

-- 
Joe