[Tecnica] attacco bruteforce

Freeze NorthPole freeze a siena.linux.it
Gio 11 Ott 2012 09:38:46 BST 

beh allora per il momento l'hanno blackilistato per cui per alcune ore ho "pace"
io cambio subito pwd di Root così da renderla più "strong"
ma sugli altri passi operativi mi affido a voi e al buon google :)

On Thu, Oct 11, 2012 at 10:35 AM, Marcello Semboli <dinogen a gmail.com> wrote:
> Sta provando a indovinare la pwd di root e di altri utenti via ssh.
> Fa un tentativo ogni tre secondi, si può aumentare il tempo che
> intercorre tra un tentativo di accesso andato male e l'altro.
>
> Però (ammetto la mia ignoranza), non capisco tutte quelle porte.
> Un servizio non ascolta su una sola porta?
> Qui pare che gli risponda su tutte le porte che prova...
>
>
> 2012/10/11 Freeze NorthPole <freeze782 a gmail.com>:
>> scusami hai ragione,
>> io non mi sono accorto di nulla, ho solo avuto questa mail:
>>
>>
>> ---mail ---
>> You are receiving this email as our automated intrusion detection has
>> picked up information below that leads us to believe an IP address in
>> your netblock is attempting to infiltrate our server. Its IP is:
>> 86.109.160.33.
>>
>>  Due to this behaviour we have automatically put an IP block in place
>> prohibiting all traffic from that address. If you feel this is in
>> error then please reply to this email and we will look into it in due
>> course.
>>
>> Regards,
>>
>> TusProfesionales Support
>>
>> The current machine timezone is recorded as CET +1
>>
>>
>> Oct 10 20:55:10 correo sshd[1520]: Failed password for root from
>> 78.46.229.107 port 59234 ssh2
>> Oct 10 20:55:13 correo sshd[1817]: Failed password for root from
>> 78.46.229.107 port 59581 ssh2
>> Oct 10 20:55:15 correo sshd[2179]: Failed password for root from
>> 78.46.229.107 port 59921 ssh2
>> Oct 10 20:55:18 correo sshd[2362]: Failed password for root from
>> 78.46.229.107 port 60266 ssh2
>> Oct 10 20:55:21 correo sshd[2422]: Failed password for root from
>> 78.46.229.107 port 60588 ssh2
>> Oct 10 20:55:23 correo sshd[2480]: Failed password for root from
>> 78.46.229.107 port 60902 ssh2
>> Oct 10 20:55:26 correo sshd[2562]: Failed password for root from
>> 78.46.229.107 port 32975 ssh2
>> Oct 10 20:55:29 correo sshd[2608]: Failed password for root from
>> 78.46.229.107 port 33281 ssh2
>> Oct 10 20:55:32 correo sshd[2632]: Failed password for root from
>> 78.46.229.107 port 33605 ssh2
>> Oct 10 20:55:35 correo sshd[2636]: Failed password for root from
>> 78.46.229.107 port 33913 ssh2
>> Oct 10 20:55:38 correo sshd[2638]: Failed password for root from
>> 78.46.229.107 port 34369 ssh2
>> Oct 10 20:55:41 correo sshd[2640]: Failed password for root from
>> 78.46.229.107 port 34670 ssh2
>> Oct 10 20:55:44 correo sshd[2644]: Failed password for root from
>> 78.46.229.107 port 34984 ssh2
>> Oct 10 20:55:44 correo sshd[2651]: Invalid user oracle from 78.46.229.107
>> Oct 10 20:55:46 correo sshd[2651]: Failed password for invalid user
>> oracle from 78.46.229.107 port 35305 ssh2
>> Oct 10 20:55:47 correo sshd[2659]: Invalid user test from 78.46.229.107
>> Oct 10 20:55:49 correo sshd[2659]: Failed password for invalid user
>> test from 78.46.229.107 port 35637 ssh2
>> Oct 10 20:55:52 correo sshd[2668]: Failed password for root from
>> 78.46.229.107 port 35943 ssh2
>> Oct 10 20:55:54 correo sshd[2689]: Failed password for root from
>> 78.46.229.107 port 36265 ssh2
>> Oct 10 20:55:57 correo sshd[2697]: Failed password for root from
>> 78.46.229.107 port 36583 ssh2
>> Oct 10 20:56:00 correo sshd[2700]: Failed password for root from
>> 78.46.229.107 port 36892 ssh2
>> Oct 10 20:56:03 correo sshd[2702]: Failed password for root from
>> 78.46.229.107 port 37204 ssh2
>> Oct 10 20:56:05 correo sshd[2704]: Failed password for root from
>> 78.46.229.107 port 37500 ssh2
>> Oct 10 20:56:06 correo sshd[2706]: Invalid user teamspeak from 78.46.229.107
>> Oct 10 20:56:08 correo sshd[2706]: Failed password for invalid user
>> teamspeak from 78.46.229.107 port 37800 ssh2
>> Oct 10 20:56:08 correo sshd[2709]: Invalid user teamspeak from 78.46.229.107
>> Oct 10 20:56:11 correo sshd[2709]: Failed password for invalid user
>> teamspeak from 78.46.229.107 port 38113 ssh2
>> Oct 10 20:56:11 correo sshd[2712]: Invalid user nagios from 78.46.229.107
>> Oct 10 20:56:13 correo sshd[2712]: Failed password for invalid user
>> nagios from 78.46.229.107 port 38414 ssh2
>> Oct 10 20:56:14 correo sshd[2715]: Invalid user postgres from 78.46.229.107
>> Oct 10 20:56:16 correo sshd[2715]: Failed password for invalid user
>> postgres from 78.46.229.107 port 38713 ssh2
>> Oct 10 20:56:19 correo sshd[2717]: Failed password for root from
>> 78.46.229.107 port 39030 ssh2
>> Oct 10 20:56:22 correo sshd[2719]: Failed password for root from
>> 78.46.229.107 port 39342 ssh2
>> Oct 10 20:56:24 correo sshd[2721]: Failed password for root from
>> 78.46.229.107 port 39647 ssh2
>> Oct 10 20:56:27 correo sshd[2723]: Failed password for root from
>> 78.46.229.107 port 39962 ssh2
>> Oct 10 20:56:30 correo sshd[2727]: Failed password for root from
>> 78.46.229.107 port 40261 ssh2
>> Oct 10 20:56:32 correo sshd[2729]: Failed password for root from
>> 78.46.229.107 port 40567 ssh2
>> Oct 10 20:56:35 correo sshd[2731]: Failed password for root from
>> 78.46.229.107 port 40868 ssh2
>> Oct 10 20:56:39 correo sshd[2734]: Failed password for root from
>> 78.46.229.107 port 41180 ssh2
>> Oct 10 20:56:42 correo sshd[2736]: Failed password for root from
>> 78.46.229.107 port 41596 ssh2
>> Oct 10 20:56:44 correo sshd[2740]: Failed password for root from
>> 78.46.229.107 port 41902 ssh2
>> Oct 10 20:56:47 correo sshd[2742]: Failed password for root from
>> 78.46.229.107 port 42205 ssh2
>> Oct 10 20:56:50 correo sshd[2744]: Failed password for root from
>> 78.46.229.107 port 42523 ssh2
>> Oct 10 20:56:52 correo sshd[2746]: Failed password for root from
>> 78.46.229.107 port 42840 ssh2
>> Oct 10 20:56:55 correo sshd[2748]: Failed password for root from
>> 78.46.229.107 port 43137 ssh2
>> Oct 10 20:56:58 correo sshd[2750]: Failed password for root from
>> 78.46.229.107 port 43454 ssh2
>> Oct 10 20:57:01 correo sshd[2753]: Failed password for root from
>> 78.46.229.107 port 43762 ssh2
>> Oct 10 20:57:03 correo sshd[2755]: Failed password for root from
>> 78.46.229.107 port 44064 ssh2
>> Oct 10 20:57:06 correo sshd[2757]: Failed password for root from
>> 78.46.229.107 port 44363 ssh2
>> Oct 10 20:57:09 correo sshd[2759]: Failed password for root from
>> 78.46.229.107 port 44684 ssh2
>> Oct 10 20:57:11 correo sshd[2761]: Failed password for root from
>> 78.46.229.107 port 45015 ssh2
>> Oct 10 20:57:16 correo sshd[2763]: Failed password for root from
>> 78.46.229.107 port 45345 ssh2
>> Oct 10 20:57:19 correo sshd[2766]: Failed password for root from
>> 78.46.229.107 port 45932 ssh2
>> Oct 10 20:57:22 correo sshd[2768]: Failed password for root from
>> 78.46.229.107 port 46258 ssh2
>> Oct 10 20:57:25 correo sshd[2770]: Failed password for root from
>> 78.46.229.107 port 46581 ssh2
>> Oct 10 20:57:27 correo sshd[2772]: Failed password for root from
>> 78.46.229.107 port 46907 ssh2
>> Oct 10 20:57:30 correo sshd[2776]: Failed password for root from
>> 78.46.229.107 port 47253 ssh2
>> Oct 10 20:57:33 correo sshd[2779]: Failed password for root from
>> 78.46.229.107 port 47587 ssh2
>> Oct 10 20:57:36 correo sshd[2781]: Failed password for root from
>> 78.46.229.107 port 47946 ssh2
>> Oct 10 20:57:38 correo sshd[2783]: Failed password for root from
>> 78.46.229.107 port 48260 ssh2
>> Oct 10 20:57:41 correo sshd[2785]: Failed password for root from
>> 78.46.229.107 port 48587 ssh2
>> Oct 10 20:57:44 correo sshd[2787]: Failed password for root from
>> 78.46.229.107 port 48928 ssh2
>> Oct 10 20:57:47 correo sshd[2791]: Failed password for root from
>> 78.46.229.107 port 49270 ssh2
>> Oct 10 20:57:49 correo sshd[2793]: Failed password for root from
>> 78.46.229.107 port 49600 ssh2
>>
>> 2012/10/11 Paolo Sammicheli <xdatap1 a siena.linux.it>:
>>> Il 11/10/2012 09:58, Freeze NorthPole ha scritto:
>>>
>>>> Ciao a tutti,
>>>> giusto qualche gg fa vi chiedevo come proteggere il server e oggi mi
>>>> comunicano un tentato attacco di bruteforce e il provider mi chiede:
>>>> - come è potuto succedere
>>>> - quali provvedimenti adottare per evitare che si ripeta,
>>>
>>>
>>> Qualche informazione in più, magari. Su quale porta/protocollo? Cosa è
>>> successo, sono entrati? Quali problemi hai riscontrato? È avvenuto un DOS?
>>>
>>> Ciao
>>> --
>>> Paolo Sammicheli
>>> Email: xdatap1(at)siena.linux.it
>>> Slug - Siena Linux User Group | http://www.siena.linux.it
>>> - Do what you like. Like what you do -
>>> _______________________________________________
>>> Tecnica mailing list
>>> Tecnica a liste.siena.linux.it
>>> http://liste.siena.linux.it/cgi-bin/mailman/listinfo/tecnica
>> _______________________________________________
>> Tecnica mailing list
>> Tecnica a liste.siena.linux.it
>> http://liste.siena.linux.it/cgi-bin/mailman/listinfo/tecnica
>
>
>
> --
> ____________________________
> Marcello Semboli
> http://dinogen.hacknight.org/
>
> "Io non doppioclicco." (Davide Bianchi)

Maggiori informazioni sulla lista Tecnica