Mailinglist Archive: opensuse (6210 mails)
| < Previous | Next > |
Re: [SLE] Hacker attempts during installation
- From: Allen <gorebofh@xxxxxxxxxxx>
- Date: Sat, 29 Oct 2005 18:15:02 -0400
- Message-id: <20051029221502.GA19141@xxxxxxxxxxxxxxxxxxxxxx>
On Sat, Oct 29, 2005 at 03:29:52AM +0200, Carlos E. R. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
>
> > SSHd is blocked by default on SUSE.... Why are you running it?
>
> The daemon is enabled by default, I think. It might be closed in the
> firewall, though.
>
> > My guess.... You shut off the firewall or told it to allow SSH?..... The
> > firewall is on by default now, and you can updatebefore the machine is even
> > fully booted...
> >
> > You really should give more info than this. It sounds like you turned off
> > the firewall, or told it to allow SSH, and for somereason someon found your
> > IP, which is weird, do you run a server?
>
> Not weird at all. I get attempts as soon as I connect trhough my V90
> modem (dial up dynamic address). There are people out there running port
> scans continuosly, using scripts. Most try ports 445, 135, 139... or
> wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
>
> Oct 22 04:05:46 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC=
> SRC=64.34.92.187 DST=81.41.201.250 LEN=60 TOS=0x00 PREC=0x00 TTL=49
> ID=27217 DF PROTO=TCP SPT=47499 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A7E3F764C0000000001030302)
My boxes are up 24/7 as is my connection (6.2 MBs a second) and I've had
maybe ONE attack attempt on a server I was using. And that was someone
trying to log into the FTP server here as root a long time ago.... Well
like not that long ago. I have them up all the time though and I've never
had that. I even pop them in my DMZ and no one attacks it, and believe me,
I'm quite a target being someone who challenges people openly when I don't
think they are doing the right thing, being a soon to be govt employee, and
of cours being a senior member of AntiOnline.
Lol yea I'm a huge one.
>
> They try the guest account because some installs have it, and several
> other "typical" names. There was a problem in sshd by which the attacker
> could determine if the name was valid by measuring the response time of
> the server, which was diferent if the user existed or not. Once they find
> a user name, they launch a dictionary attack on it.
>
> That hole was plugged.
>
> - --
> Cheers,
> Carlos Robinson
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQFDYtCYtTMYHG2NR9URAi9CAJ9kcb6B4DZTG7dmCDWH4CPZo1Y+qgCggq2W
> ONTDuVgXUjF5eWE1hKXLDPs=
> =vMVT
> -----END PGP SIGNATURE-----
>
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
>
> > SSHd is blocked by default on SUSE.... Why are you running it?
>
> The daemon is enabled by default, I think. It might be closed in the
> firewall, though.
>
> > My guess.... You shut off the firewall or told it to allow SSH?..... The
> > firewall is on by default now, and you can updatebefore the machine is even
> > fully booted...
> >
> > You really should give more info than this. It sounds like you turned off
> > the firewall, or told it to allow SSH, and for somereason someon found your
> > IP, which is weird, do you run a server?
>
> Not weird at all. I get attempts as soon as I connect trhough my V90
> modem (dial up dynamic address). There are people out there running port
> scans continuosly, using scripts. Most try ports 445, 135, 139... or
> wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
>
> Oct 22 04:05:46 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC=
> SRC=64.34.92.187 DST=81.41.201.250 LEN=60 TOS=0x00 PREC=0x00 TTL=49
> ID=27217 DF PROTO=TCP SPT=47499 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A7E3F764C0000000001030302)
My boxes are up 24/7 as is my connection (6.2 MBs a second) and I've had
maybe ONE attack attempt on a server I was using. And that was someone
trying to log into the FTP server here as root a long time ago.... Well
like not that long ago. I have them up all the time though and I've never
had that. I even pop them in my DMZ and no one attacks it, and believe me,
I'm quite a target being someone who challenges people openly when I don't
think they are doing the right thing, being a soon to be govt employee, and
of cours being a senior member of AntiOnline.
Lol yea I'm a huge one.
>
> They try the guest account because some installs have it, and several
> other "typical" names. There was a problem in sshd by which the attacker
> could determine if the name was valid by measuring the response time of
> the server, which was diferent if the user existed or not. Once they find
> a user name, they launch a dictionary attack on it.
>
> That hole was plugged.
>
> - --
> Cheers,
> Carlos Robinson
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQFDYtCYtTMYHG2NR9URAi9CAJ9kcb6B4DZTG7dmCDWH4CPZo1Y+qgCggq2W
> ONTDuVgXUjF5eWE1hKXLDPs=
> =vMVT
> -----END PGP SIGNATURE-----
>
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
| < Previous | Next > |