[Tecnica] attacco bruteforce

Gio 11 Ott 2012 09:35:39 BST

Sta provando a indovinare la pwd di root e di altri utenti via ssh.
Fa un tentativo ogni tre secondi, si può aumentare il tempo che
intercorre tra un tentativo di accesso andato male e l'altro.

Però (ammetto la mia ignoranza), non capisco tutte quelle porte.
Un servizio non ascolta su una sola porta?
Qui pare che gli risponda su tutte le porte che prova...

2012/10/11 Freeze NorthPole <freeze782 a gmail.com>:
> scusami hai ragione,
> io non mi sono accorto di nulla, ho solo avuto questa mail:
>
>
> ---mail ---
> You are receiving this email as our automated intrusion detection has
> picked up information below that leads us to believe an IP address in
> your netblock is attempting to infiltrate our server. Its IP is:
> 86.109.160.33.
>
>  Due to this behaviour we have automatically put an IP block in place
> prohibiting all traffic from that address. If you feel this is in
> error then please reply to this email and we will look into it in due
> course.
>
> Regards,
>
> TusProfesionales Support
>
> The current machine timezone is recorded as CET +1
>
>
> Oct 10 20:55:10 correo sshd[1520]: Failed password for root from
> 78.46.229.107 port 59234 ssh2
> Oct 10 20:55:13 correo sshd[1817]: Failed password for root from
> 78.46.229.107 port 59581 ssh2
> Oct 10 20:55:15 correo sshd[2179]: Failed password for root from
> 78.46.229.107 port 59921 ssh2
> Oct 10 20:55:18 correo sshd[2362]: Failed password for root from
> 78.46.229.107 port 60266 ssh2
> Oct 10 20:55:21 correo sshd[2422]: Failed password for root from
> 78.46.229.107 port 60588 ssh2
> Oct 10 20:55:23 correo sshd[2480]: Failed password for root from
> 78.46.229.107 port 60902 ssh2
> Oct 10 20:55:26 correo sshd[2562]: Failed password for root from
> 78.46.229.107 port 32975 ssh2
> Oct 10 20:55:29 correo sshd[2608]: Failed password for root from
> 78.46.229.107 port 33281 ssh2
> Oct 10 20:55:32 correo sshd[2632]: Failed password for root from
> 78.46.229.107 port 33605 ssh2
> Oct 10 20:55:35 correo sshd[2636]: Failed password for root from
> 78.46.229.107 port 33913 ssh2
> Oct 10 20:55:38 correo sshd[2638]: Failed password for root from
> 78.46.229.107 port 34369 ssh2
> Oct 10 20:55:41 correo sshd[2640]: Failed password for root from
> 78.46.229.107 port 34670 ssh2
> Oct 10 20:55:44 correo sshd[2644]: Failed password for root from
> 78.46.229.107 port 34984 ssh2
> Oct 10 20:55:44 correo sshd[2651]: Invalid user oracle from 78.46.229.107
> Oct 10 20:55:46 correo sshd[2651]: Failed password for invalid user
> oracle from 78.46.229.107 port 35305 ssh2
> Oct 10 20:55:47 correo sshd[2659]: Invalid user test from 78.46.229.107
> Oct 10 20:55:49 correo sshd[2659]: Failed password for invalid user
> test from 78.46.229.107 port 35637 ssh2
> Oct 10 20:55:52 correo sshd[2668]: Failed password for root from
> 78.46.229.107 port 35943 ssh2
> Oct 10 20:55:54 correo sshd[2689]: Failed password for root from
> 78.46.229.107 port 36265 ssh2
> Oct 10 20:55:57 correo sshd[2697]: Failed password for root from
> 78.46.229.107 port 36583 ssh2
> Oct 10 20:56:00 correo sshd[2700]: Failed password for root from
> 78.46.229.107 port 36892 ssh2
> Oct 10 20:56:03 correo sshd[2702]: Failed password for root from
> 78.46.229.107 port 37204 ssh2
> Oct 10 20:56:05 correo sshd[2704]: Failed password for root from
> 78.46.229.107 port 37500 ssh2
> Oct 10 20:56:06 correo sshd[2706]: Invalid user teamspeak from 78.46.229.107
> Oct 10 20:56:08 correo sshd[2706]: Failed password for invalid user
> teamspeak from 78.46.229.107 port 37800 ssh2
> Oct 10 20:56:08 correo sshd[2709]: Invalid user teamspeak from 78.46.229.107
> Oct 10 20:56:11 correo sshd[2709]: Failed password for invalid user
> teamspeak from 78.46.229.107 port 38113 ssh2
> Oct 10 20:56:11 correo sshd[2712]: Invalid user nagios from 78.46.229.107
> Oct 10 20:56:13 correo sshd[2712]: Failed password for invalid user
> nagios from 78.46.229.107 port 38414 ssh2
> Oct 10 20:56:14 correo sshd[2715]: Invalid user postgres from 78.46.229.107
> Oct 10 20:56:16 correo sshd[2715]: Failed password for invalid user
> postgres from 78.46.229.107 port 38713 ssh2
> Oct 10 20:56:19 correo sshd[2717]: Failed password for root from
> 78.46.229.107 port 39030 ssh2
> Oct 10 20:56:22 correo sshd[2719]: Failed password for root from
> 78.46.229.107 port 39342 ssh2
> Oct 10 20:56:24 correo sshd[2721]: Failed password for root from
> 78.46.229.107 port 39647 ssh2
> Oct 10 20:56:27 correo sshd[2723]: Failed password for root from
> 78.46.229.107 port 39962 ssh2
> Oct 10 20:56:30 correo sshd[2727]: Failed password for root from
> 78.46.229.107 port 40261 ssh2
> Oct 10 20:56:32 correo sshd[2729]: Failed password for root from
> 78.46.229.107 port 40567 ssh2
> Oct 10 20:56:35 correo sshd[2731]: Failed password for root from
> 78.46.229.107 port 40868 ssh2
> Oct 10 20:56:39 correo sshd[2734]: Failed password for root from
> 78.46.229.107 port 41180 ssh2
> Oct 10 20:56:42 correo sshd[2736]: Failed password for root from
> 78.46.229.107 port 41596 ssh2
> Oct 10 20:56:44 correo sshd[2740]: Failed password for root from
> 78.46.229.107 port 41902 ssh2
> Oct 10 20:56:47 correo sshd[2742]: Failed password for root from
> 78.46.229.107 port 42205 ssh2
> Oct 10 20:56:50 correo sshd[2744]: Failed password for root from
> 78.46.229.107 port 42523 ssh2
> Oct 10 20:56:52 correo sshd[2746]: Failed password for root from
> 78.46.229.107 port 42840 ssh2
> Oct 10 20:56:55 correo sshd[2748]: Failed password for root from
> 78.46.229.107 port 43137 ssh2
> Oct 10 20:56:58 correo sshd[2750]: Failed password for root from
> 78.46.229.107 port 43454 ssh2
> Oct 10 20:57:01 correo sshd[2753]: Failed password for root from
> 78.46.229.107 port 43762 ssh2
> Oct 10 20:57:03 correo sshd[2755]: Failed password for root from
> 78.46.229.107 port 44064 ssh2
> Oct 10 20:57:06 correo sshd[2757]: Failed password for root from
> 78.46.229.107 port 44363 ssh2
> Oct 10 20:57:09 correo sshd[2759]: Failed password for root from
> 78.46.229.107 port 44684 ssh2
> Oct 10 20:57:11 correo sshd[2761]: Failed password for root from
> 78.46.229.107 port 45015 ssh2
> Oct 10 20:57:16 correo sshd[2763]: Failed password for root from
> 78.46.229.107 port 45345 ssh2
> Oct 10 20:57:19 correo sshd[2766]: Failed password for root from
> 78.46.229.107 port 45932 ssh2
> Oct 10 20:57:22 correo sshd[2768]: Failed password for root from
> 78.46.229.107 port 46258 ssh2
> Oct 10 20:57:25 correo sshd[2770]: Failed password for root from
> 78.46.229.107 port 46581 ssh2
> Oct 10 20:57:27 correo sshd[2772]: Failed password for root from
> 78.46.229.107 port 46907 ssh2
> Oct 10 20:57:30 correo sshd[2776]: Failed password for root from
> 78.46.229.107 port 47253 ssh2
> Oct 10 20:57:33 correo sshd[2779]: Failed password for root from
> 78.46.229.107 port 47587 ssh2
> Oct 10 20:57:36 correo sshd[2781]: Failed password for root from
> 78.46.229.107 port 47946 ssh2
> Oct 10 20:57:38 correo sshd[2783]: Failed password for root from
> 78.46.229.107 port 48260 ssh2
> Oct 10 20:57:41 correo sshd[2785]: Failed password for root from
> 78.46.229.107 port 48587 ssh2
> Oct 10 20:57:44 correo sshd[2787]: Failed password for root from
> 78.46.229.107 port 48928 ssh2
> Oct 10 20:57:47 correo sshd[2791]: Failed password for root from
> 78.46.229.107 port 49270 ssh2
> Oct 10 20:57:49 correo sshd[2793]: Failed password for root from
> 78.46.229.107 port 49600 ssh2
>
> 2012/10/11 Paolo Sammicheli <xdatap1 a siena.linux.it>:
>> Il 11/10/2012 09:58, Freeze NorthPole ha scritto:
>>
>>> Ciao a tutti,
>>> giusto qualche gg fa vi chiedevo come proteggere il server e oggi mi
>>> comunicano un tentato attacco di bruteforce e il provider mi chiede:
>>> - come è potuto succedere
>>> - quali provvedimenti adottare per evitare che si ripeta,
>>
>>
>> Qualche informazione in più, magari. Su quale porta/protocollo? Cosa è
>> successo, sono entrati? Quali problemi hai riscontrato? È avvenuto un DOS?
>>
>> Ciao
>> --
>> Paolo Sammicheli
>> Email: xdatap1(at)siena.linux.it
>> Slug - Siena Linux User Group | http://www.siena.linux.it
>> - Do what you like. Like what you do -
>> _______________________________________________
>> Tecnica mailing list
>> Tecnica a liste.siena.linux.it
>> http://liste.siena.linux.it/cgi-bin/mailman/listinfo/tecnica
> _______________________________________________
> Tecnica mailing list
> Tecnica a liste.siena.linux.it
> http://liste.siena.linux.it/cgi-bin/mailman/listinfo/tecnica

-- 
____________________________
Marcello Semboli
http://dinogen.hacknight.org/

"Io non doppioclicco." (Davide Bianchi)