Koozali.org: home of the SME Server

portscans

jriemens

portscans
« on: May 19, 2005, 10:49:11 AM »
Some-one keeps on trying to enter my server for a couple of days now. I can't find any info on this IP address. He is scanning all my ports for 2 days now. Anything I can do about this?

Failed password for illegal user test from 218.111.85.10 port 53829 ssh2 (this goes on an on for many more portscans. about 6 pages logfile)
Failed password for root from 218.111.85.10 port 55035 ssh2 (also many pages in logfile on different ports)

Or is this "normal" and shouldn't I worry about that?

Quail_Linux

Re: portscans
« Reply #1 on: May 19, 2005, 11:11:37 AM »
Quote from: "jriemens"
Some-one keeps on trying to enter my server for a couple of days now. I can't find any info on this IP address. He is scanning all my ports for 2 days now. Anything I can do about this?

Failed password for illegal user test from 218.111.85.10 port 53829 ssh2 (this goes on an on for many more portscans. about 6 pages logfile)
Failed password for root from 218.111.85.10 port 55035 ssh2 (also many pages in logfile on different ports)

Or is this "normal" and shouldn't I worry about that?


Hi,

218.111.85.10 (Reverse lookup failed) : whois.apnic.net      
   
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      218.111.0.0 - 218.111.255.255
netname:      XDSLSTREAMYX
descr:        Telekom Malaysia Berhad
descr:        Network Strategy
descr:        5th Floor, North Wing
descr:        Menara Telekom
descr:        Jalan Pantai Baru
descr:        50672 Kuala Lumpur
country:      MY
admin-c:      DA5-AP
tech-c:       NA16-AP
status:       ALLOCATED PORTABLE
mnt-by:       APNIC-HM
mnt-lower:    MAINT-AP-STREAMYX
changed:      hm-changed@apnic.net 20031112
source:       APNIC

person:       Darmataksiah Abai
nic-hdl:      DA5-AP
e-mail:       darma@telekom.com.my
address:      Telekom Malaysia Berhad
address:      Network Strategy
address:      5th Floor, North Wing
address:      Menara Telekom
address:      Jalan Pantai Baru
address:      50672 Kuala Lumpur
phone:        +603-2240-7307
fax-no:       +603-7958-2034
country:      MY
mnt-by:       MAINT-AP-STREAMYX
changed:      hm-changed@apnic.net 20031112
source:       APNIC

person:       Napizah Alang Jaafar
nic-hdl:      NA16-AP
e-mail:       napizah@telekom.com.my
address:      Telekom Malaysia Berhad
address:      Network Strategy
address:      5th Floor, North Wing
address:      Menara Telekom
address:      Jalan Pantai Baru
address:      50672 Kuala Lumpur
phone:        +603-2240-7327
fax-no:       +603-7958-2034
country:      MY
mnt-by:       MAINT-AP-STREAMYX
changed:      hm-changed@apnic.net 20031112
source:       APNIC

Offline Brenno

  • *****
  • 208
  • +0/-0
portscans
« Reply #2 on: May 19, 2005, 06:48:38 PM »
jriemens,

Sadly, this is quite normal.  I see this stuff in my server logs all the time.  It's likely the result of an automated (script-based) attack which just probes your server for a week root (or other) password.  It may go on for 15 or 20 minutes and then simply stop.

Your best defence, since the originating IP will likely change all the time, is to simply make sure you have a really strong root/admin password.  (Actually, make sure all user acounts have strong passwords since they have access to certain services on your server, too.)  Best practices would be 10 characters minimum and use a combination of letters, numbers and symbols.

You might also be able to contact the ISP responsible for this IP address and file a complaint.  I've never had much success with this option, especially for offshore ISPs :)

Offline arne

  • *****
  • 1,116
  • +0/-4
portscans
« Reply #3 on: May 19, 2005, 09:58:39 PM »
I have seen the same thing in my logs for quite a while now. My favorite atacker is from China. Don't know if it is a automated atach or not but some times I have been wondering if there is sitting a poor man in a web cafe somewhere in China wanting so desperately to have access to a web server.

At least the "guess the password game" can go on for hours until it just changes to an other IP.

If I used very easy useracount/password pairs like admin/admin or admin/password I would be 100 % sure to be hacked.

I think I agree that there is only one real medicine and that is strong enough passwords.

Well there is other medicine as well, like watching your log. I also use to install the RedHat 7.3 trafic monitor "iptraf". This gives a instant snap view of all trafic to and from your server. Can be usable for a server with only limited trafic.
......

Offline chris burnat

  • *****
  • 1,135
  • +2/-0
    • http://www.burnat.com
portscans
« Reply #4 on: May 22, 2005, 05:44:08 AM »
Same here, and its getting worse..  Another medecine is to change the port for sshd, say from port 22 to a high port somewhere above 1000.  Done this using the excellent howto from cc-skavenger yesterday (check the wikis) and bingo, not a trace of any robots.  Now I can see my logs, and only concentrate on either serious attacks (meaning there is a body on the other end...) or genuine logons from my users.
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

cc_skavenger

portscans
« Reply #5 on: May 22, 2005, 08:28:39 AM »
That howto can be found here:

http://www.ccskavenger.info/SME/Howtos/Changing-the-default-ssh-port.htm

Hope it helps others...