[Cialug] RE: Port blocking - and unwanted intruders.

cialug@cialug.org cialug@cialug.org
Mon, 06 Dec 2004 17:21:02 +0000 

The "illegal user" entry is more serious.  It looks like someone is trying to
exploit an openssh flaw.  Three years ago, my box was 0wned because of an
openssh flaw.  I now only allow ssh from the places I might be ssh'ing from. 
Any others get blocked by ipchains (for FC2, it would probably iptables).

I'm sure adding the addresses to hosts.deny will work, I chose to do it at the
firewall level.  That way, unless there's a bug in the firewall, it will get
blocked there.  Maybe as an extra security measure, both should be done.

I don't think sending an e-mail to that contact would help.  It appears to be a
Korean university, which could have several thousand students.  It could be a
lab IP address, which could be open to anyone.  The chances of them doing
anything about it would be slim, IMHO.

--
Tim W.
> timwilson011@mchsi.com wrote:
> 
> RE:>>I'm curious if I need to block any of the dest ports being hit.  Anyone 
> have any ideas, suggestions, or
> comments?  Why would these ports be accessed?
> 
> I'm interested in your question, but unable to provide any answers.   
> 
> I have a Fedora Core 2 server running LAMP and ever since I installed it, the 
> disk gets hit about once every three seconds.  I'd like to determine the process 
> and/or the port.   
> 
> I think one of the suspect problems is an error in my named.conf file (my fault 
> but haven't resolved the issue).   
> 
> This error gets logged in my /var/log/messages file, to wit:
> "lame server resolving '1.0.0.127.in-addr.arpa' ( in '0.0.127.in-addr.arpa'?): 
> 192.228.79.201#53"
> 
> A more serious error, or so I believe is: 
> "Failed password for illegal user blue from 213.155.196.143 port 35672 ssh2"  
> I have a whole slew of these entries in the /var/log/message file and the jerk 
> has tried to log in under many aliases, apparently from different IP's 
> (including 210.102.183.225).   I cannot ping these addresses.  
> 
> When I do a "whois 210.102.183.225), I find a block of addresses for some 
> University in China, maybe?   The technical contact is ygson@kwc.ac.kr and 
> kren@snu.ac.kr at KYUNGWON College.  
> 
> Does anyone think it will do me any good to send an email to this contact to 
> tell them that whoever is at 210.102.183.225 is being abusive?    I have added 
> both of these IP's to my /etc/hosts.deny file thusly.  
> <ssh2:210.102.183.225 213.155.196.143>
> I'm not sure that I have the syntax correct.  
> 
> As always, TIA for any help.   And, I wish I knew the answer to YOUR problem Tim 
> Wilson, but unfortunately, I am "niche ser gut" in this arena... 
> 
> Ciao, 
> Andrew Lietzow
> Des Moines
> _____________________________________________________________________
> Get your own family web site at www.MyFamily.com!
> 
> 
>