OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: h4x0rs

From: Joakim Aronius (joakimaronius.com)
Date: Wed Dec 01 2004 - 02:56:22 CST

Yep, you are right. I checked my script for doing the sshblock and i use a regexp to get the ip. The attacker could of course enter an ip address as a user name which i didn't think of before.

Proves again that one can never be too paranoid.. :)

/jkm
 
* Clint M. Sand (clintneotrance.dyndns.org) wrote:
> On Mon, Nov 29, 2004 at 03:00:00PM +0100, Joakim Aronius wrote:
> > Since we have pf it's a piece of cake to apply Mr Hartmeiers quickblock recipe on those who try logging in with root: http://www.benzedrine.cx/pf/msg01273.html
> > Pretty neat.
> >
> > /jkm
>
> Note that to use that you'd want to modify it to pull the IP address by
> counting from the right side of the log line to the left, instead of
> using cut as shown here to do it going left from right.
>
> Otherwise someone attempting to login with a user name containing a
> space will cause the src IP column to be a different offset than it
> should be.
> >
> It works in that example because the IP of the offender is always in the
> same column in the log message. With authlog, its not.
>
>
> > * Bram Van Dam (bramspamtelenet.be) wrote:
> > > Matthieu Herrb wrote:
> > > >Dave Feustel wrote:
> > > >
> > > >>I'm seeing a lot more attempts via ssh to get into my system in the
> > > >>last couple of weeks. Almost all of the from ip addresses are from
> > > >>the far east.
> > > >>(Korea, China)
> > > >These attacks are looking for weak passwords on ssh accounts, not
> > > >vulnerabilites in ssh itself.
> > > >
> > > >At least one of these kits then attacks a Linux kernel vulnerability to
> > > >gain root. This has nothing to do with OpenBSD.
> > >
> > > Quite correct. I too got a few thousand of those -- prety lame, I mean
> > > what kind of an idiot even bothers trying to log in as root over ssh --
> > > attempts until I moved SSH to a different port. Apparently that tends to
> > > scare most script-kiddies away.
> > > That and I added half of Asia to my pf deny list, that too might have
> > > something to do with it ;).
> > >
> > > Also, don't even bother mailing them abuse reports, in most cases they
> > > bounce back, and when they don't you get a pretty lame reply along the
> > > lines of "we're busy, fuck off". Phoning them on the other hand results
> > > in them not wanting to speak English. When phoning them in Chinese they
> > > suddenly don't want to speak Chinese either. Strange people.
> > >
> > >
> > > - Bram