<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>There are examples where people run ssh shell behind Tor proxy.</p>
    <p>This way you are never getting this attack, cause noone knows
      .onion address.<br>
    </p>
    <div class="moz-cite-prefix">On 2019-12-29 1:53 p.m., Khalid
      Baheyeldin wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CA+TuoW29rjOnLB07Xy2cYFAU3B81rH5hRb9MWKmW0QCByVVq2w@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div><br>
        </div>
        <div>
          <div>
            <div class="gmail_quote">
              <div dir="ltr" class="gmail_attr">On Sun, Dec 29, 2019 at
                12:34 PM Ron Singh <<a
                  href="mailto:ronsingh149@gmail.com" target="_blank"
                  moz-do-not-send="true">ronsingh149@gmail.com</a>>
                wrote:<br>
              </div>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div dir="ltr">
                  <div style="font-family:tahoma,sans-serif">From a
                    non-techy/new-ish to Linux guy's perspectrive, what
                    do I take away from this bit of "follow the bouncing
                    ball"?</div>
                  <div style="font-family:tahoma,sans-serif"><br>
                  </div>
                  <div style="font-family:tahoma,sans-serif">   
                    153.126.166.203 (<a
                      href="http://ik1-319-19699.vs.sakura.ne.jp"
                      target="_blank" moz-do-not-send="true">ik1-319-19699.vs.sakura.ne.jp</a>)</div>
                  <div style="font-family:tahoma,sans-serif"><br>
                  </div>
                  <div style="font-family:tahoma,sans-serif"><br>
                  </div>
                  <div style="font-family:tahoma,sans-serif">and
                    googling nmp3000, I get this twitter user as a top
                    hit and he seems to be a Linux-y kind of guy in
                    Japan:</div>
                  <div style="font-family:tahoma,sans-serif"><br>
                  </div>
                  <div style="font-family:tahoma,sans-serif"><a
                      href="https://twitter.com/nmp3000" target="_blank"
                      moz-do-not-send="true">https://twitter.com/nmp3000</a></div>
                  <div style="font-family:tahoma,sans-serif"><br>
                  </div>
                  <div style="font-family:tahoma,sans-serif">No idea if
                    there is any meaning to be gleaned from this, but I
                    thought it might be mildly interesting. I do wonder
                    if that fella's site is hacked and someone is using
                    his url for dastardly deeds. I am not at all savvy
                    about how these things work, but I thought it
                    curious.<br>
                  </div>
                </div>
              </blockquote>
              <div><br>
              </div>
              <div>
                <div>The IP address that the attempts come from is
                  (usually) irrelevant. <br>
                </div>
                <div>This guy can be a victim, rather than a
                  perpetrator. <br>
                </div>
                <div><br>
                </div>
                <div>Usually, the ssh login attempt will come from a
                  single IP address: some <br>
                </div>
                <div>script kiddie tries to login to hosts, using
                  various login names (root, mysql, <br>
                </div>
                <div>uucp, lpadmin, ...etc.) The strange thing is that I
                  see the same attack on <br>
                </div>
                <div>more than one server, and sometimes it is all of
                  them from the same IP <br>
                </div>
                <div>address. How did they tie the servers that I own to
                  servers of my clients?</div>
                <div>I have no idea, but it happens often. And they are
                  in different data centers,</div>
                <div>and not in the same IP address blocks.<br>
                </div>
                <div><br>
                </div>
                <div>You can usually know who the attacker is using
                  something like this:</div>
                <div><br>
                </div>
                <div><a
                    href="https://www.whois.com/whois/153.126.166.203"
                    target="_blank" moz-do-not-send="true">https://www.whois.com/whois/153.126.166.203</a></div>
                <div><br>
                </div>
                <div>This will tell you the internet provider for the
                  IP. Sometimes it is a cloud</div>
                <div>provider like Amazon AWS or something like that.
                  Often, it is just an IP</div>
                <div>address that the attacker hacked somehow, not his
                  actual IP address.</div>
                <div>You can file a complaint at abuse@whatever-provider
                  (via Whois), but</div>
                <div>it is time consuming, and a whack-a-mole scenario.
                  <br>
                </div>
                <div><br>
                </div>
                <div>Then, there are attempts from various IP addresses,
                  like the one I posted.</div>
                <div>This is more sophisticated in that the attacker
                  commandeered several <br>
                </div>
                <div>computers (and not just a single one) and using
                  them to launch an attack. <br>
                </div>
                <div>It can be a bot net that the attacker created via
                  malware or other means. <br>
                </div>
                <div>Sometimes they rent a bot net that someone else
                  created, and providers <br>
                </div>
                <div>it for hire. <br>
                </div>
                <div><br>
                </div>
                <div>For this particular attack, the attacker wrote (or
                  downloaded) a shoddy script: <br>
                </div>
                <div>he forgot the login name in ssh for most attempts!
                  In another place in logwatch's</div>
                <div>report there is:</div>
                <div><br>
                </div>
                <div> sshd:<br>
                      Authentication Failures:<br>
                         <b>unknown</b> (115.160.163.195): 2 Time(s)<br>
                         root (153.126.166.203): 1 Time(s)<br>
                         root (92.246.17.5): 1 Time(s)<br>
                         root (95.88.219.197): 1 Time(s)<br>
                         <b>unknown</b> (142.4.208.131): 1 Time(s)<br>
                         <b>unknown</b> (153.126.141.19): 1 Time(s)<br>
                         <b>unknown</b> (63.142.97.181): 1 Time(s)<br>
                         <b>unknown</b> (92.246.17.5): 1 Time(s)<br>
                      Invalid Users:<br>
                         Unknown Account: 6 Time(s)</div>
                <div><br>
                </div>
                <div>While on another day, and another server, it was
                  like this:</div>
                <div><br>
                </div>
                Very persistent, trying many permutations for the
                password.
                <div><br>
                </div>
                <div> sshd:<br>
                      <span class="gmail-il">Authentication</span>
                  Failures:<br>
                         <b>root</b> (101.78.209.150): <b>831</b>
                  Time(s)<br>
                         unknown (196.196.217.50): 134 Time(s)<br>
                         <b>root</b> (196.196.217.50): 71 Time(s)<br>
                         <b>bin</b> (196.196.217.50): 1 Time(s)<br>
                         <b>daemon</b> (196.196.217.50): 1 Time(s)<br>
                      Invalid Users:<br>
                         Unknown Account: 134 Time(s)</div>
                <div><br>
                </div>
                <div>For me, I just disable password login (rely on ssh
                  keys) and block the IP address <br>
                </div>
                <div>using this script:</div>
                <div><br>
                </div>
                <div>#!/bin/sh<br>
                  #<br>
                  # Script to block one or more ip addresses<br>
                  <br>
                  # Check arguments<br>
                  if [ $# = 0 ]; then<br>
                    # Display a usage error message<br>
                    echo "Usage: `basename $0` ip-address"<br>
                    exit 1<br>
                  fi<br>
                  <br>
                  for IP in $*<br>
                  do<br>
                    # Block the IP address<br>
                    iptables -I INPUT -s $IP -j DROP</div>
                <div>  logger -t `basename $0` "Blocking IP: $IP"</div>
                <div>done</div>
                <div><br>
                </div>
                <div>Save it, and run it as needed.</div>
                <div>Residual attempts will still appear in logwatch's
                  report the following day.</div>
                 </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
kwlug-disc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
    </blockquote>
    <div class="moz-signature">-- <br>
      Mikalai Birukou <br>
      CEO | 3NSoft Inc.</div>
  </body>
</html>