[ale] Hack of the month...

H. A. Story adrin at bellsouth.net
Wed Dec 14 17:38:54 EST 2005 

In the past when I sent a email with an attached log, I have gotten no 
response. I have wonder if this was some type of worm.   Do a generic 
setup on ftp and ssh and you will see all kinds of brute force attacks 
and at all hours of the day and night.   I would even consider some type 
of VPN on the COLO box if it is possible.  That way it is only open to 
those that have legal use of it.



James P. Kinney III wrote:

>On Wed, 2005-12-14 at 08:06 -0500, Christopher Fowler wrote:
>  
>
>>This is an attempt on one of my devices in colo.  At home I would not
>>mind so much but this is a corporate site so I need to put a procedure
>>in place so our support/admin staff can handle these attempts
>>professionally and leagally.  Anyone here have a similar procedure and
>>can give me insight?
>>
>>    
>>
>
>It depends on what the system is doing that is being attacked. If it is
>a financial system that could divulge personal info and cause much grief
>(i.e. - lawsuit) then only allow ssh from specific IP addresses AND
>require key access AND block password access AND log all other attempts
>in iptables AND document the attempts and forward them to the upstream
>provider of the would-be cracker.
>
>Due to the native power of a *nix system (as compared to a windblowz) I
>consider them to all be pretty much munitions grade hardware and as
>such, ANY AND ALL unauthorized access or use is treated as a serious
>criminal trespass.
>
>All edge systems need something like Tripwire for integrity checks and
>they must be used (i.e. verified against a known good record) daily.
>
>Policy: All attempts to gain access by unauthorized persons should be
>reported to the ISP of the unauthorized person with suitable legalize
>documentation demanding follow-up communication about what the ISP did
>and to whom.
>  
>
>>On Wed, 2005-12-14 at 07:52 -0500, Paul Cartwright wrote:
>>    
>>
>>>On Wed December 14 2005 7:40 am, Christopher Fowler wrote:
>>>      
>>>
>>>>What is the attempt here and how are they attempting?
>>>>
>>>>Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]: Invalid
>>>>user testing from 68.120.97.218
>>>>Dec 14 02:58:10 209.168.246.231 authpriv.err sshd[194]: error: Could
>>>>not get shadow information for NOUSER
>>>>Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]: Failed
>>>>password for invalid user testing from 68.120.97.218 port 59698 ssh2
>>>>        
>>>>
>>>arin whois: http://ws.arin.net/cgi-bin/whois.pl
>>>
>>>shows that as an SBC user, you might want to report your logfile to :
>>>
>>>OrgAbuseHandle: ABUSE6-ARIN
>>>OrgAbuseName:   Abuse - Southwestern Bell Internet 
>>>OrgAbusePhone:  +1-800-648-1626
>>>OrgAbuseEmail:  abuse at sbcglobal.net
>>>      
>>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>    
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>

More information about the Ale mailing list