Attacks on ADSL

[laura]

About a few days ago i realised slow internet speeds, normally my internet speed is very fast about 40k. One evening it was particularly slow. The only computer partially accessible from the outside is my linux machine. When checking the log files i have found apache was not accessed that often, but ssh was. In fact someone has been looking for a backdoor running through common account names looking for a way in - but i have disabled unused accounts and use passwords.

Is anybody else experiencing such attacks On such attack lasted for more than 30 mins. What can i do to stop the attacks at the source, so that they dont clogg my connection.

Is the best solution to the high tech problem a low tech solution - just unplug ? How impracticle is that!

Laura

 

[RichardP]

Plenty of them..... it happens on iBurst and ADSL

Nov 14 01:46:36 sshd[29858]: Invalid user Friends from ::ffff:217.168.145.134
Nov 14 01:46:39 sshd[29860]: Invalid user George from ::ffff:217.168.145.134
Nov 14 01:46:42 sshd[29862]: Invalid user Shadow from ::ffff:217.168.145.134
Nov 14 01:46:44 sshd[29864]: Invalid user Mihai from ::ffff:217.168.145.134
Nov 14 01:46:47 sshd[29866]: Invalid user Mike from ::ffff:217.168.145.134
Nov 14 01:46:50 sshd[29868]: Invalid user Michael from ::ffff:217.168.145.134
Nov 14 01:46:53 sshd[29870]: Invalid user hello from ::ffff:217.168.145.134
Nov 14 01:46:56 sshd[29872]: Invalid user alo from ::ffff:217.168.145.134
Nov 14 01:46:59 sshd[29874]: Invalid user bit from ::ffff:217.168.145.134
Nov 14 01:47:01 sshd[29876]: Invalid user bit from ::ffff:217.168.145.134
Nov 14 01:47:04 sshd[29878]: Invalid user topgun from ::ffff:217.168.145.134

......... ad nauseum.

 

[Gambit]

I also experience ssh attacks quite often. I would love to know if there are many ssh boxes that are accessable on the net that have weak passwords. I always thought that people who use ssh were security conscious.

 

[Impregim]

@Laura

Depending on your network setup just dump/drop CIDR of the specific IP if you not running any sshd tunnels.

Info:
http://isc.sans.org/diary.php?storyid=846
http://denyhosts.sourceforge.net/

Hope it helps

 

[krycor]

yup noticed this happen the otherday.. since i don't use my ssh connection much i have disabled it for the time being till, if i still have adsl, nxt yr when varsity starts.

 

[thisgeek]

Probably the easiest thing to do is to disconnect for a few mins, and then reconnect. Hopefully you will get a new IP.

Blacklisting the IP that's attacking you might also work, since they won't be able to establish a connection to the port.

iptables -A INPUT -s <sourceip/32> -j DROP

That should hopefully drop the connections.

 

[Moederloos]

Get a lot of these as well. Best to use nice alpha-numeric passwords with some punctuation marks included.

)&S!blowme&^%

 

[Obelix]

- but i have disabled unused accounts and use passwords.

I would disable password login and allow only public/private keys to login via ssh. Passwords can eventually be guessed given the right amount of time/luck

Obelix

 

[laura]

I think what i will do is block ip addresses in the IP filter at the WAN interface. But i still dont like the fact that it generates traffic that goes towards my precious cap.

 

[Obelix]

That is the biggest problem i have with per-usage billing. You end up getting billed for traffic you didnt want and there is no way for you to stop it.

 

[LethalChicken]

so it's telkom employees trying to break in to boost usage and profits

 

[martin]

so it's telkom employees trying to break in to boost usage and profits

lol, thank you for making us all paranoid Telkom

 

[laura]

im going extract the list of offending ip address for saix and will mail the abuse helpdesk i hope they will do something or at least help me, im hoping they will be able to do something about it. In the states something like this is a punishable offence, if done across state line a federal one, at that .
Does anybody know what can be done about it? What are the legal structures put in place for this sort of thing?

 

[nic777]

Surely there is a chance that people are trying to login in their boxes but are getting the wrong IP because the box is down or DDNS hasn't been updated ?!?!?


I don't see how Michael and George can be common account names?

 

[laura]

if its the same ip address in a period of 10 mins use different usernames to log in, basically using accounts like administrator, wheel, admin, administrator ...... these account names if like what kids read in a basic hacking guide

 

[rburley]

how do you check this if you are a nooB

 

[Moederloos]

how do you check this if you are a nooB

If you do not have a linux box, disable port 22 on your router.In fact, if you are a real n00B, disable all the incoming ports, except those you KNOW you need.

If you do have a linux box, google "iptables", "firewall" "ssh" etc - many HOWTOs.