2006/8/9, gnuforever
hola lista en semanas atras , mande un mensaje a la lista con problemas de atentado en mi server suse , pues tengo configurado un firewall con susefirewall, pero tengo abierto el ssh por cuestiones de administracion cuando estoy fuera de la oficina.. pues ese puerto a estado siendo atacado por los pinches bueyes , que solo dedican su vida a andar queriendo reventarle a uno los server , pues en la lista me respodieron que pusiera ciertas reglas en el scripts de suse ...
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
segun yo problema resuelto , pues mirando de nuevo los logs... sigo siendo atacado , los intento que he visto sobre pasan mas de 6 , que segun las reglas despues de 6 intentos esa ip queda block...
mi log de atentados ....
Aug 9 12:52:28 ns1 sshd[19000]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:33 ns1 sshd[19002]: Invalid user ftpuser from ::ffff:66.70.158.66 Aug 9 12:52:33 ns1 sshd[19002]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:36 ns1 sshd[19004]: Invalid user testuser from ::ffff:66.70.158.66 Aug 9 12:52:36 ns1 sshd[19004]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:37 ns1 sshd[19008]: Invalid user testuser from ::ffff:66.70.158.66 Aug 9 12:52:37 ns1 sshd[19008]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:47 ns1 sshd[19010]: Invalid user test from ::ffff:66.70.158.66 Aug 9 12:52:47 ns1 sshd[19010]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:49 ns1 sshd[19014]: Invalid user guestuser from ::ffff:66.70.158.66 Aug 9 12:52:49 ns1 sshd[19014]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:50 ns1 sshd[19016]: Invalid user test01 from ::ffff:66.70.158.66 Aug 9 12:52:50 ns1 sshd[19016]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Aug 9 12:52:53 ns1 sshd[19018]: Invalid user test2 from ::ffff:66.70.158.66 Aug 9 12:52:53 ns1 sshd[19018]: Address 66.70.158.66 maps to meganhenry.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
alguna idea que puede estar pasando ?
Es evidente que quiere ingresar, y no lo logra. Son los riesgos a los que uno se expone dejando puertos abiertos... La dirección ip, si no me equivoco, no es una ip publica, es una ip interna, y el whois del dominio te da: Registrant: DotaCom Corporation www.dotacom.com 106 W. Calendar Ct - Suite 141 LaGrange, Illinois 60625 United States Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: MEGANHENRY.COM Created on: 20-Jun-04 Expires on: 20-Jun-07 Last Updated on: 09-Aug-06 Administrative Contact: Manager, Domain Support@WebContents.com DotaCom Corporation www.dotacom.com 106 W. Calendar Ct - Suite 141 LaGrange, Illinois 60625 United States 8778773053 Fax -- 7735853637 Technical Contact: Manager, Domain Support@WebContents.com DotaCom Corporation www.dotacom.com 106 W. Calendar Ct - Suite 141 LaGrange, Illinois 60625 United States 8778773053 Fax -- 7735853637 Domain servers in listed order: NS1.PARKED.COM NS2.PARKED.COM