bastards from kenya and tawain are hitting my network [Archive] - Colorado AR-15 Shooters Club Discussion Forums

View Full Version : bastards from kenya and tawain are hitting my network

buckshotbarlow

12-02-2010, 09:24

So i run a unix server out of the house. Use comcast as my ISP. Watch out, kenyan's, chinese and tawainians are hitting your network. Make sure you have strong passwords and firewalls...

Here's a snippet from my firewall:

my deny list on the firewall after updates:
accesskenya.co 41.215.63.148
broad.km.yn.dyn 116.55.227.91
linode.com 173.255.236.188
leadfusion.com 216.151.185.129
218.64.215.239 218.64.215.239

This is from my syslog. Basically they just keep running attacks using usernames and default passwords. Make sure all your passwords have been changed to 10 character alpha numeric, and all your default passwords have been changed.

Dec 4 05:12:01 elnino sshd[13939]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:03 elnino sshd[13941]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:05 elnino sshd[13943]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:06 elnino sshd[13945]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:08 elnino sshd[13947]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:10 elnino sshd[13949]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:12 elnino sshd[13951]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:14 elnino sshd[13953]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:16 elnino sshd[13955]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:18 elnino sshd[13957]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:20 elnino sshd[13959]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:21 elnino sshd[13961]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:23 elnino sshd[13963]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:25 elnino sshd[13965]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:27 elnino sshd[13967]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:29 elnino sshd[13969]: User root from 218.64.215.239 not allowed because listed in DenyUsers
Dec 4 05:12:31 elnino sshd[13971]: User root from 218.64.215.239 not allowed because listed in DenyUsers

Dec 4 02:08:30 elnino sshd[20817]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:33 elnino sshd[20819]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:35 elnino sshd[20821]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:38 elnino sshd[20823]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:41 elnino sshd[20825]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:44 elnino sshd[20827]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:46 elnino sshd[20829]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:49 elnino sshd[20831]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:53 elnino sshd[20833]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:56 elnino sshd[20835]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:08:58 elnino sshd[20837]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:09:01 elnino sshd[20839]: User root from 116.55.227.91 not allowed because listed in DenyUsers

Dec 4 02:01:07 elnino sshd[20398]: Invalid user servicioalcliente from 41.215.63.148
Dec 4 02:01:08 elnino sshd[20402]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:11 elnino sshd[20404]: Invalid user serviciocliente from 41.215.63.148
Dec 4 02:01:11 elnino sshd[20406]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:14 elnino sshd[20408]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:17 elnino sshd[20410]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:18 elnino sshd[20411]: Invalid user servicio from 41.215.63.148
Dec 4 02:01:20 elnino sshd[20414]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:23 elnino sshd[20418]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:23 elnino sshd[20416]: Invalid user sales from 41.215.63.148
Dec 4 02:01:25 elnino sshd[20420]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:27 elnino sshd[20422]: Invalid user info from 41.215.63.148
Dec 4 02:01:28 elnino sshd[20424]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:30 elnino sshd[20426]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:33 elnino sshd[20428]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:35 elnino sshd[20430]: Invalid user ventas from 41.215.63.148
Dec 4 02:01:36 elnino sshd[20432]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:39 elnino sshd[20436]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:40 elnino sshd[20434]: Invalid user compras from 41.215.63.148
Dec 4 02:01:42 elnino sshd[20438]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:44 elnino sshd[20440]: Invalid user news from 41.215.63.148
Dec 4 02:01:45 elnino sshd[20442]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:47 elnino sshd[20445]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:48 elnino sshd[20444]: Invalid user repuestos from 41.215.63.148
Dec 4 02:01:50 elnino sshd[20448]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:52 elnino sshd[20450]: Invalid user postmast from 41.215.63.148
Dec 4 02:01:52 elnino sshd[20452]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:55 elnino sshd[20454]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:01:56 elnino sshd[20455]: Invalid user postmaster from 41.215.63.148
Dec 4 02:01:58 elnino sshd[20458]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:00 elnino sshd[20462]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:03 elnino sshd[20464]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:05 elnino sshd[20466]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:06 elnino sshd[20460]: Invalid user webmast from 41.215.63.148
Dec 4 02:02:08 elnino sshd[20468]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:10 elnino sshd[20470]: Invalid user webmaster from 41.215.63.148
Dec 4 02:02:11 elnino sshd[20472]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:13 elnino sshd[20474]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:17 elnino sshd[20477]: User root from 116.55.227.91 not allowed because listed in DenyUsers
Dec 4 02:02:17 elnino sshd[20476]: Invalid user almacen from 41.215.63.148
Dec 4 02:02:20 elnino sshd[20480]: User root from 116.55.227.91 not allowed b

ChadAmberg

12-02-2010, 12:54

I used to run a script that automatically added these types of folks to a iptables deny list after 2 or 3 bad password attempts, but that was probably 10 years ago. Worked great though, I'd come home from work and find 4-5 new IPs added to the deny list.

BadShot

12-02-2010, 13:06

Actually if you're running a Windows system, change your passwords to be 15+ characters. Alpha + Numeric + Special characters are best, but even a simple pass phrase 15 characters or more breaks up the password cache file so that it can't simply be deciphered.

then again in this day and age if you're not running a firewall at home, you deserve what you get... harsh I know, but the internet and ass hats hacking your system isn't new by any stretch!

vim

12-02-2010, 13:10

http://denyhosts.sourceforge.net/

DenyHosts works very well against ankle-biters like this. Depending on the Linux distro you're running, there may be a drop-in package available to you.

TFOGGER

12-02-2010, 14:00

68Charger

12-02-2010, 14:12

I find that by simply disabling WAN ping response in my routers, more than 90% of these incidents just go away. They can't hit what they can't see. I don't have any issues accessing my file server, as I have a static route set up on those ports.

This will stop the less sophisticated attacks, but they CAN hit what they can't see, it just means they don't get a response from ICMP packets.. there are many tools out there than can "ping" with non-standard packets until they get a response (like with port 80)... don't fall into a false sense of security from that.

it's a good practice, but should not be relied upon in lieu of a firewall... denying hosts is a good method if you can deploy it, I pretty much block ALL non-established traffic, but I can do that because I don't host anything...

buckshotbarlow

12-02-2010, 14:25

So denyhosts looks kewl, but i'm still a firm believer of multi staged fw's to prevent this. Do u guys know of anything that you can do to tell comcrap that your getting molested by a corksoaker in kenya? Windows is a security hole. Now my bias: Aix/Linux/Irix is the only way to fly...

vim

12-02-2010, 14:34

buckshotbarlow

12-02-2010, 14:41

So all that has been done...However the question remains...How do u fight comcrap so they start blocking this stuff?

TFOGGER

12-02-2010, 14:50

This will stop the less sophisticated attacks, but they CAN hit what they can't see, it just means they don't get a response from ICMP packets.. there are many tools out there than can "ping" with non-standard packets until they get a response (like with port 80)... don't fall into a false sense of security from that.

it's a good practice, but should not be relied upon in lieu of a firewall... denying hosts is a good method if you can deploy it, I pretty much block ALL non-established traffic, but I can do that because I don't host anything...

Yeah...I run a couple of firewalls as well....one hardware, one software. Good passwords, too. [Beer]

buckshotbarlow

12-02-2010, 14:57

Cable modem, into Untangle, into a dir655 running version 1.33xx. I found it to be decent solution until u putt ur lindows box into the dmz...

I just figured it via my office mate...Obama is from Kenya so he's hacking my network trying to look at my stash of gun pron...

68Charger

12-02-2010, 15:32

These are random probes from IP addresses and ranges you can't predict.

A hardware firewall, a software firewall on the system, services/ports turned off or closed to all but localhost -- these are important for Internet-facing servers.

Beyond that, measures start varying, and a good discussion requires beer. [Beer]

Now here's someone who really knows how to motivate! [Beer]

blocking all but established traffic makes you effectively invisible unless they're spoofing- most of these probes are looking for unprotected systems and/or open ports- there are enough of them out there to keep them in business (between that and their phishing scams)

BigBear

12-02-2010, 15:47

68Charger

12-02-2010, 15:58

So... speaking English... how does an ordinary Joe know if they're ok? What exactly is a firewall, etc?...

I beleive I have that windows firewall turned on. I keep all my wireless units turned off. My hardline is run through a router and I have anti0virus, etc... I should be ok right? What are they looking for anyways?

if you're going thru a router- (Linksys, Netgear, etc) many of them have a firewall built in- not very sophisticated, but they'll do- make sure the option on it to block administrative access & ping from the internet is enabled.

That, along with the windoze firewall (or appropriate software on a linux system) and anti-virus will provide decent protection.

The probes are looking for systems with known vulnerabilities that just came out, or systems that are still vulnerable because people don't get the latest updates on day 0. They can exploit them to install software (key loggers, trojans, etc). Some are looking to add your 'puter to their bot-net (to launch attacks from, they install software that can use your 'puter as a launching point)

Hoosier

12-02-2010, 17:25

fail2ban package will ban brute force attacks, on systems that support it:

# apt-get install -y fail2ban

Use nmap outside your network to scan yourself, see what ports are open. If you have port 22 open, set UsePasswords to no and require keyfiles, as they are much more secure than passwords.

H.

Irving

12-02-2010, 20:55

Does Peerblock help with this?

I'm always afraid someone will turn on my webcam and catch me taking a dump.

OgenRwot

12-02-2010, 21:19

BadShot

12-02-2010, 21:38

You guys are going over board for the average user. If you're popping systems in your DMZ then secure it along the lines you're discussing. Otherwise, most folks can set their home router FW to not accept connections that were not initiated from inside the home network. Ping all you want, port scan all you want, you're not going to make a connection. And like I said, if you're not taking advantage of the native functionality of the Windows Firewall and running at least a decent AV program, then you are going to get what you deserve, none of this Errornet crap is new. Much like the law, ignorance is not an excuse when there is such a wealth of information available from reliable sources online or at the book store!

For those who really want to know more about this in layman terms, get a home netwokring/home firewall for dummies books. Best stuff out there at a 101 level for the non-uber geek.

llostwolf

12-02-2010, 23:35

I'm always afraid someone will turn on my webcam and catch me taking a dump.[/quote]

take the web cam out of the bathroom........

buckshotbarlow

12-03-2010, 07:56

Is that an appliance in the throne room?

Does Peerblock help with this?

I'm always afraid someone will turn on my webcam and catch me taking a dump.

buckshotbarlow

12-03-2010, 08:08

If any of u guys run comcrap, you should check out this thread...basically, comcrap gives you a cable modem. Go down to microcenter or worsebuy and purchase a dlink or linksys router to get started. This will stop a majority of the phishers and crap that we're dealing with here on this thread. The other thing, make sure you keep your windows box kup to date with patches, and follow strong passwords. My end custy has a requirement of minimum 10 character passwords, 2 special, 2 numbers 6 letters for your password. In time, it will have to go to 12 characters to keep the chicomms out. I quit running winblows os because of the lack of security. Take a look at a major linux distro or run mac os. Unix based os's are more secure right of the box vs windows. But, to continue on with the core content of the thread, running a fileserver/webserver/sshd box out of your house serves 2 purposes for me. First is that I sit behind a proxy and they only allow vpn's out...So on my vm, I run openvpn when i need to bypass my custy's security. This is for when i need to look at gun porn on co-ar15. The second is that we have mail restrictions on file sizes. Since the company i work for is huge...450k + employees, and supplies a majority of the custy's cots/hw systems, i need to be able to move those types of files around...thus...a file server and a mail server help out so that the end users can use it and it is not blocked by their network nazi's...

So far hitler of their network hasn't found the holes i poked into his network and shut me down yet...

Irving

12-03-2010, 10:42

It is when I bring my laptop in there. I guess that did sound a little weird not mentioning that it was built in to a laptop.

68Charger

12-03-2010, 11:11

It is when I bring my laptop in there. I guess that did sound a little weird not mentioning that it was built in to a laptop.

because a laptop in the bathroom sounds perfectly normal...[Coffee]

Irving

12-03-2010, 11:30

What's the difference between reading a book on the can and reading an on-line news article on the can?

The risk of a candid toilet photo, that's what!

theGinsue

12-03-2010, 11:51

You could always protect yourself from unwanted camera hacks with a high-tech physical security device installed on your laptop camera - put a small post-it note over the lens whilst communing with the call of nature.

ETA: Oh, and when I still had a laptop battery that lasted more than 2 minutes, I used to take my laptop into the "library" with me. You know, multi-tasking!

Irving

12-03-2010, 12:06

I've done that before. Folded piece of paper works just fine.

buckshotbarlow

12-03-2010, 15:40

Hoosier

12-03-2010, 15:51

disabled password logins via ssh, only allow keys.
deny all hosts
allow me and a couple other sysadmins that use the system for users
changed the exception list on my firewall to deny all traffic except for "trusted" ip's.

For 24 hours my syslog has been clean on the server, however the router/fw is giving obama wama's home country the finger.

If anyone wants a copy of the configs i give them to em...They only work on unix/linux systems though...

And i finally got ssh over my custy's new proxy defeated...the new version of putty is sweet!

I'd be interested in seeing the config, is it iptables?

Zomg there's a new version of putty? really? I rarely have less than 5 instances of putty running.

It sounds like your network is locked down, being scanned is just a given when you're on an IPv4 network address facing the public internet. An unprotected Windows machine placed directly on a public IP address in a DSL/cablemodem IP block will be scanned and infected in under 30 seconds. That's how much scan traffic is out there.

H.

mitch

12-04-2010, 22:06

Here's the "ban all korea and china netblocks" firewall (iptables) script. update information is at the top of the script.

And, for folks that haven't kept up on the ssh attacks - they are distributed now, so fail2ban is only a speed bump. You'll need to compile your own version of sshd (make it will log passwords) to see this.

So, +1 on using only rsa keys (no passwords) for ssh access, and turning everything else off. There's nothing you need that can't be ran over a non-standard ssh tunnel.

theGinsue

12-05-2010, 00:45

changed the exception list on my firewall to deny all traffic except for "trusted" ip's.

I've used this on all of the Unix networks I've administered for work. I only run Windows machines @ home though and I've been considering doing MAC filtering on my home network (mostly wireless). Anyone have experience with MAC filtering; particularly over a wireless network? I've had folks tell me that they've experienced significant degredation in connection speeds with MAC filtering enabled.

Experiences?

Not_A_Llama

12-05-2010, 00:50

I've used this on all of the Unix networks I've administered for work. I only run Windows machines @ home though and I've been considering doing MAC filtering on my home network (mostly wireless). Anyone have experience with MAC filtering; particularly over a wireless network? I've had folks tell me that they've experienced significant degredation in connection speeds with MAC filtering enabled.

Experiences?

MAC filtering is worthless - spoofing addresses is trivially easy (as in [Adapter] Properties->Configure->Advanced (depending on the adapter/driver)). Anyone that can run the software to break your WPA key can get past MAC filtering.

This even before concerns about performance degradation associated with the filtering.

buckshotbarlow

12-06-2010, 07:33

So i watched all my logs so far. Learned a few new things about tunneling over ip proxies, if you guys are in unix env, and sit behind a proxy, i can help you get out...

Now, on to the good stuff, Ranging from brazil to kenya, and every other part of the globe, here's a START!!! to my block lists.

SSHD_CONFIG FILE
Protocol 2
Port 22
Port 443
PubkeyAuthentication yes
SyslogFacility AUTHPRIV
X11Forwarding yes
IgnoreRhosts yes
PermitEmptyPasswords no
UseDNS no
LoginGraceTime 1m
MaxAuthTries 3
PasswordAuthentication no
UsePAM yes
Ciphers aes256-cbc,aes256-ctr
MACs hmac-sha1,hmac-sha1-96
ServerKeyBits 1024

AllowUsers *@192.168.*.*
AllowUsers *@127.0.0.1*
DenyUsers *@210.51.25.167
DenyUsers root@*
DenyUsers *@222.122.235.21
DenyUsers *@200.195.138.44
DenyUsers *@119.60.2.198
DenyUsers oracle test user daemon nobody guest avahi beagleindex bin haldaemon man messagebus polkituser sshd at username http administrator admin library master user

My hosts.deny
http-rman : ALL EXCEPT LOCAL
ALL:
79.187.241.62\
82.50.250.22\
82.179.130.135\
69.80.255.165\
219.150.196.6\
83.16.112.18\
222.191.240.194\
219.150.196.0/12\
168.234.227.2\
219.150.196.6\
200.228.120.130\
218.64.215.239\
218.23.208.79\
78.129.227.211\
220.182.3.22\
24.8.82.245\
58.19.117.147\
174.78.110.160\
216.14.121.116\
41.215.63.148\
116.55.227.91\
173.255.236.188\
216.151.185.129\
61.19.33.57\
200.195.138.44\

Firewall blocks all by default, allows only 3 ip's. I run a Netgear DIR-655. WPA2 for wireless. I took my untangle server out of the loop so i could collect more ips. Damn, that untangle server really works...blows me away at all the crap it was blocking...

sshkeys, now get distributed to all my users...But, I want to try ssh'ing with certs. Anyone know how to do that?

I hope this helps someone out...I'll update in a week. [Weight]

buckshotbarlow

12-06-2010, 07:39

waste of time for mac filtering. If you want to get into your house set up a unix VM (openbox or VMware) on your windows box, pick a random port for ssh connectivity. Another option is logmein. I use it for ALL WINDOWS boxes where I can't load a vm.

I've used this on all of the Unix networks I've administered for work. I only run Windows machines @ home though and I've been considering doing MAC filtering on my home network (mostly wireless). Anyone have experience with MAC filtering; particularly over a wireless network? I've had folks tell me that they've experienced significant degredation in connection speeds with MAC filtering enabled.

Experiences?