<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>There are examples where people run ssh shell behind Tor proxy.</p>
<p>This way you are never getting this attack, cause noone knows
.onion address.<br>
</p>
<div class="moz-cite-prefix">On 2019-12-29 1:53 p.m., Khalid
Baheyeldin wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+TuoW29rjOnLB07Xy2cYFAU3B81rH5hRb9MWKmW0QCByVVq2w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div><br>
</div>
<div>
<div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sun, Dec 29, 2019 at
12:34 PM Ron Singh <<a
href="mailto:ronsingh149@gmail.com" target="_blank"
moz-do-not-send="true">ronsingh149@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:tahoma,sans-serif">From a
non-techy/new-ish to Linux guy's perspectrive, what
do I take away from this bit of "follow the bouncing
ball"?</div>
<div style="font-family:tahoma,sans-serif"><br>
</div>
<div style="font-family:tahoma,sans-serif">
153.126.166.203 (<a
href="http://ik1-319-19699.vs.sakura.ne.jp"
target="_blank" moz-do-not-send="true">ik1-319-19699.vs.sakura.ne.jp</a>)</div>
<div style="font-family:tahoma,sans-serif"><br>
</div>
<div style="font-family:tahoma,sans-serif"><br>
</div>
<div style="font-family:tahoma,sans-serif">and
googling nmp3000, I get this twitter user as a top
hit and he seems to be a Linux-y kind of guy in
Japan:</div>
<div style="font-family:tahoma,sans-serif"><br>
</div>
<div style="font-family:tahoma,sans-serif"><a
href="https://twitter.com/nmp3000" target="_blank"
moz-do-not-send="true">https://twitter.com/nmp3000</a></div>
<div style="font-family:tahoma,sans-serif"><br>
</div>
<div style="font-family:tahoma,sans-serif">No idea if
there is any meaning to be gleaned from this, but I
thought it might be mildly interesting. I do wonder
if that fella's site is hacked and someone is using
his url for dastardly deeds. I am not at all savvy
about how these things work, but I thought it
curious.<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>The IP address that the attempts come from is
(usually) irrelevant. <br>
</div>
<div>This guy can be a victim, rather than a
perpetrator. <br>
</div>
<div><br>
</div>
<div>Usually, the ssh login attempt will come from a
single IP address: some <br>
</div>
<div>script kiddie tries to login to hosts, using
various login names (root, mysql, <br>
</div>
<div>uucp, lpadmin, ...etc.) The strange thing is that I
see the same attack on <br>
</div>
<div>more than one server, and sometimes it is all of
them from the same IP <br>
</div>
<div>address. How did they tie the servers that I own to
servers of my clients?</div>
<div>I have no idea, but it happens often. And they are
in different data centers,</div>
<div>and not in the same IP address blocks.<br>
</div>
<div><br>
</div>
<div>You can usually know who the attacker is using
something like this:</div>
<div><br>
</div>
<div><a
href="https://www.whois.com/whois/153.126.166.203"
target="_blank" moz-do-not-send="true">https://www.whois.com/whois/153.126.166.203</a></div>
<div><br>
</div>
<div>This will tell you the internet provider for the
IP. Sometimes it is a cloud</div>
<div>provider like Amazon AWS or something like that.
Often, it is just an IP</div>
<div>address that the attacker hacked somehow, not his
actual IP address.</div>
<div>You can file a complaint at abuse@whatever-provider
(via Whois), but</div>
<div>it is time consuming, and a whack-a-mole scenario.
<br>
</div>
<div><br>
</div>
<div>Then, there are attempts from various IP addresses,
like the one I posted.</div>
<div>This is more sophisticated in that the attacker
commandeered several <br>
</div>
<div>computers (and not just a single one) and using
them to launch an attack. <br>
</div>
<div>It can be a bot net that the attacker created via
malware or other means. <br>
</div>
<div>Sometimes they rent a bot net that someone else
created, and providers <br>
</div>
<div>it for hire. <br>
</div>
<div><br>
</div>
<div>For this particular attack, the attacker wrote (or
downloaded) a shoddy script: <br>
</div>
<div>he forgot the login name in ssh for most attempts!
In another place in logwatch's</div>
<div>report there is:</div>
<div><br>
</div>
<div> sshd:<br>
Authentication Failures:<br>
<b>unknown</b> (115.160.163.195): 2 Time(s)<br>
root (153.126.166.203): 1 Time(s)<br>
root (92.246.17.5): 1 Time(s)<br>
root (95.88.219.197): 1 Time(s)<br>
<b>unknown</b> (142.4.208.131): 1 Time(s)<br>
<b>unknown</b> (153.126.141.19): 1 Time(s)<br>
<b>unknown</b> (63.142.97.181): 1 Time(s)<br>
<b>unknown</b> (92.246.17.5): 1 Time(s)<br>
Invalid Users:<br>
Unknown Account: 6 Time(s)</div>
<div><br>
</div>
<div>While on another day, and another server, it was
like this:</div>
<div><br>
</div>
Very persistent, trying many permutations for the
password.
<div><br>
</div>
<div> sshd:<br>
<span class="gmail-il">Authentication</span>
Failures:<br>
<b>root</b> (101.78.209.150): <b>831</b>
Time(s)<br>
unknown (196.196.217.50): 134 Time(s)<br>
<b>root</b> (196.196.217.50): 71 Time(s)<br>
<b>bin</b> (196.196.217.50): 1 Time(s)<br>
<b>daemon</b> (196.196.217.50): 1 Time(s)<br>
Invalid Users:<br>
Unknown Account: 134 Time(s)</div>
<div><br>
</div>
<div>For me, I just disable password login (rely on ssh
keys) and block the IP address <br>
</div>
<div>using this script:</div>
<div><br>
</div>
<div>#!/bin/sh<br>
#<br>
# Script to block one or more ip addresses<br>
<br>
# Check arguments<br>
if [ $# = 0 ]; then<br>
# Display a usage error message<br>
echo "Usage: `basename $0` ip-address"<br>
exit 1<br>
fi<br>
<br>
for IP in $*<br>
do<br>
# Block the IP address<br>
iptables -I INPUT -s $IP -j DROP</div>
<div> logger -t `basename $0` "Blocking IP: $IP"</div>
<div>done</div>
<div><br>
</div>
<div>Save it, and run it as needed.</div>
<div>Residual attempts will still appear in logwatch's
report the following day.</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
kwlug-disc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
</blockquote>
<div class="moz-signature">-- <br>
Mikalai Birukou <br>
CEO | 3NSoft Inc.</div>
</body>
</html>