|
Posted by bz on June 6, 2008, 4:55 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> >Everytime I look at my NAS ftp flog, I see all this Chicom IP's. How
>> >in hell they get into my IP address? I got 400 recorded attempts to
>> >login as Administrator.
>>
>> The scripts go through and try to log into *every IP address* as
>> Administrator and common stupid passwords. Its not you they are after,
>> they are just looking for open places they can go in in general.
>>
>> If they didn't get the ocassional hit that let them in, they wouldn't both
> er..
>>
>> But people are lazy/stupid/whatever and put stupid easy passwords up
>> on common services listening wide open on the Net.
>
> My NAS running Linux OS as firmware o 'Administrator' is not even a
> valid username. It is set up in my router as virtual FTP server
> instead of DMZ.
>
There are scripts running, trying to break into machines all the time.
On one of my mail servers [a linux machine], I run a script in the hosts.deny
file
that sends me an e-mail every time someone unauthorized tries to SSH into my
machine.
If they try more than twice, I look up their ISP and forward a copy of the
message to them.
About 10% of the time I get back a 'thankyou, we checked the machine and it
was infected with ...'
----------------
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL: ALL: spawn ( \
echo -e "Unauthorized access attempt(s) made upon our machine(s)\n\
by %c. \n\
Probable compromised machine, scanning for vulnerable machines to subvert.\n\
\n\
Suspect machines should be removed from the network and checked.\n\
Most have been virus/worm/trojan infected or hacked/rooted/zombied.\n\
\n\
You may get lucky and catch a hacker.\n\
\n\
sig line1\n\
sig line2\n\
\n\
\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
Add 5 hours to CDT, 6 hours to CST to get GMT \n\
\n\
Trace Route to OFFENDING Machine \n\
" > host.deny.temp.txt ; /usr/sbin/traceroute %c >> host.deny.temp.txt ; \
/bin/echo -e "\n from log file " >> host.deny.temp.txt ; \
/bin/grep %h /var/log/secure >> host.deny.temp.txt ; \
/bin/echo -e "\n from log file " >> host.deny.temp.txt ; \
/bin/grep %h /var/log/messages >> host.deny.temp.txt ; \
/bin/echo -e "\n from log file " >> host.deny.temp.txt ; \
/usr/bin/tail -5 /var/log/messages >> host.deny.temp.txt ; \
/usr/bin/tail -5 /var/log/secure >> host.deny.temp.txt ; \
/bin/netstat -aven >> host.deny.temp.txt ; \
/bin/mail -s "Hack attempt(s) by %u@%h upon $(uname -n)" root \
< host.deny.temp.txt ; rm host.deny.temp.txt )&
------------------------------
--
bz
please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.
bz+csm@ch100-5.chem.lsu.edu remove ch100-5 to avoid spam trap
| 
XML site map