Server security guru? - Wrist Twisters
 
Thread Tools Display Modes
post #1 of 17 Old 03-18-2008, 06:36 AM Thread Starter
Site Founder
 
jetblast10's Avatar
 
Join Date: Jan 2006
Location: Tampa, FL
Posts: 9,698
Rep Power: 1
 

Awards Showcase
Wrist Twisters Event Attendance Extraordinary Ride Trackday Recognition Extraordinary Ride 
Total Awards: 6

Server security guru?

While reviewing my logwatch this morning looks like the box fended off a brute force attack. I've denied access to the offending IP via the cpanel:

Daemon Access List Action Comment
sshd xxx.xxx.xxx deny deny SSH access

does this appear the correct way to handle?
Attached Images
File Type: jpg log.jpg (36.1 KB, 20 views)
File Type: jpg brute.jpg (92.3 KB, 20 views)

jetblast10 is offline  
Sponsored Links
Advertisement
 
post #2 of 17 Old 03-18-2008, 06:55 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

wow, first of all that's a weak brute force
you're fine

"sshd xxx.xxx.xxx.xxx deny comment" was the way i read the input screen

i'm more paranoid about ssh access and lock it down (allow) from distinct known good IP ranges (one of which include my Cellular IP based access, home, primary worksites, etc.)

ratdog is offline  
post #3 of 17 Old 03-18-2008, 06:57 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

tell you what, if you haven't already...at least narrow it down by country

can't be too many good reasons for romanians or someone in china to be accessing your secure shell stuff (or most anything else but http)

ratdog is offline  
 
post #4 of 17 Old 03-18-2008, 07:01 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

oh yeah, your attempt counts are way too high
i let it go 3-5 b4 i bang'em

not that i do this stuff
but i did sleep w/ a ho named liddayin

ratdog is offline  
post #5 of 17 Old 03-18-2008, 07:03 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

btw you're allowed to counterstrike them if you want...not illegal yet
and it's fun
u know, if you have that kind of time and chuckling at a logfile can brighten your day cause that's just how pathetic things are sometimes

ratdog is offline  
post #6 of 17 Old 03-18-2008, 07:07 AM Thread Starter
Site Founder
 
jetblast10's Avatar
 
Join Date: Jan 2006
Location: Tampa, FL
Posts: 9,698
Rep Power: 1
 

Awards Showcase
Wrist Twisters Event Attendance Extraordinary Ride Trackday Recognition Extraordinary Ride 
Total Awards: 6

you want their IP?

jetblast10 is offline  
post #7 of 17 Old 03-18-2008, 07:09 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

did i mention "strong" passwords as a rule

here is Microsoft's password strength check thing

ratdog is offline  
post #8 of 17 Old 03-18-2008, 07:17 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

Quote:
Originally Posted by jetblast10 View Post
you want their IP?
well, technically the counterstrike should occur during the attack and originate from the offended IP ...and often/mostly the attacks are not from static ip's but rather those that are associated w/ broad dhcp ranges such as dialups/dsl's, hijacked systems or better yet, offshore colleges that are home to something just this side of state supported hacker teams....anyways, the IP is usually gone shortly thereafter or has been re-assigned to some poor innocent

ratdog is offline  
post #9 of 17 Old 03-18-2008, 07:17 AM
Wookie
 
ragdoll's Avatar
 
Join Date: Jan 2006
Location: Seattle, WA
Posts: 7,274
Rep Power: 1
 

Awards Showcase
Donation 
Total Awards: 1

Ratdog... you can type more than a sentence per posting.

It looks like you had a few attempts to break in but I'd be more seriously concerned if those numbers were in triple or quadrule digits.

You should enable a lock on the accounts after 5 attempts.

'02 RC-51
'10 Unicycle

ragdoll is offline  
post #10 of 17 Old 03-18-2008, 07:18 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

and...now i have enough cash to sit back down at the table

hey, where are the real propeller heads here, i know there's about 26 of them

ratdog is offline  
post #11 of 17 Old 03-18-2008, 07:21 AM
Heavy Metal
 
ratdog's Avatar
 
Join Date: Jan 2006
Location: swamp in the wood
Posts: 4,304
Rep Power: 1
 

Awards Showcase
Donation Extraordinary Ride Donation Wrist Twisters Event Attendance 
Total Awards: 5

Quote:
Originally Posted by ragdoll View Post
Ratdog... you can type more than a sentence per posting.

It looks like you had a few attempts to break in but I'd be more seriously concerned if those numbers were in triple or quadrule digits.

You should enable a lock on the accounts after 5 attempts.
i'm just spewin at the keyboard cause i'm workin a bunch of other screens and jacked on that colombian goodness wawa is serving this week...it's stream of consciousnesses rd....i know there are several on here that don't like 'the way' i post, much less the content....no punctuation, grammar, always time for grammar and punctuation?? hah

ratdog is offline  
post #12 of 17 Old 03-24-2008, 04:43 AM Thread Starter
Site Founder
 
jetblast10's Avatar
 
Join Date: Jan 2006
Location: Tampa, FL
Posts: 9,698
Rep Power: 1
 

Awards Showcase
Wrist Twisters Event Attendance Extraordinary Ride Trackday Recognition Extraordinary Ride 
Total Awards: 6

Quote:
Originally Posted by ratdog View Post
lock it down (allow) from distinct known good IP ranges

done, log looks much better this morning. Thanks!

jetblast10 is offline  
post #13 of 17 Old 03-24-2008, 09:22 AM
BANNED!
 
midwest's Avatar
 
Join Date: Jan 2006
Location: Milwaukee
Posts: 5,539
Rep Power: 1
 

Awards Showcase
Donation Donation Wrist Twisters Event Attendance 
Total Awards: 3

Quote:
Originally Posted by jetblast10 View Post
While reviewing my logwatch this morning looks like the box fended off a brute force attack.
And here I thought you caught Moto trying to climb in your bedroom window!

I LOVE Tig Bitties!
midwest is offline  
post #14 of 17 Old 03-24-2008, 10:21 AM
I am BATMAN!!!
 
justintyme73's Avatar
 
Join Date: Apr 2006
Location: Ft. Collins CO
Posts: 4,660
Rep Power: 1
 

Awards Showcase
Outstanding Restoration Donation Donation 
Total Awards: 3

I Highly recommend a blood curdling "Banzai!" type scream before any counter attack. Although I dont know if it will be as effective as during Physical combat, it should make you feel better, and be amusing to anyone around you.

"He was a wise man who invented Beer"--Plato
justintyme73 is offline  
post #15 of 17 Old 03-24-2008, 09:15 PM
(Quintus) Pilus Prior
 
beefsalad's Avatar
 
Join Date: Dec 2007
Location: San Antonio, TX
Posts: 2,776
Blog Entries: 51
Rep Power: 1
 

Awards Showcase
Donation 
Total Awards: 1

Denyhosts is decent script for mitigating "attacks" if you can handle the extra weight. Moving the ssh port also helps mitigate a lot of crap.

beefsalad is offline  
post #16 of 17 Old 03-25-2008, 05:03 AM
Tirone Choolaces
 
marylandmike's Avatar
 
Join Date: Aug 2007
Location: USA
Posts: 11,120
Rep Power: 1
 
Garage

Awards Showcase
Wrist Twisters Event Attendance Donation Donation 
Total Awards: 3

Quote:
Originally Posted by jetblast10 View Post
done, log looks much better this morning. Thanks!
Must be the fiber!

marylandmike is offline  
post #17 of 17 Old 03-25-2008, 05:05 AM Thread Starter
Site Founder
 
jetblast10's Avatar
 
Join Date: Jan 2006
Location: Tampa, FL
Posts: 9,698
Rep Power: 1
 

Awards Showcase
Wrist Twisters Event Attendance Extraordinary Ride Trackday Recognition Extraordinary Ride 
Total Awards: 6


jetblast10 is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Wrist Twisters forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

 
For the best viewing experience please update your browser to Google Chrome