Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > SSH brute force attack?

Reply
Thread Tools Display Modes

SSH brute force attack?

 
 
CptDondo
Guest
Posts: n/a

 
      12-29-2007, 06:03 PM
I'm getting this in my logs. No other explanation.

SSH_brute_force IN=bond0 OUT=
MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0
 
Reply With Quote
 
 
 
 
Bit Twister
Guest
Posts: n/a

 
      12-29-2007, 07:02 PM
On Sat, 29 Dec 2007 19:03:44 -0000, CptDondo wrote:
> I'm getting this in my logs. No other explanation.
>
> SSH_brute_force IN=bond0 OUT=
> MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
> DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
> SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0

My WAG, some script has decided that ip address 213.220.192.239
(r3a239.net.upc.cz) has hit your ssh port 22 enough times in X amount
of time, which might indicate it is try to guess the password for an
account on the 192.168.128.6 node.
Hence the brute_force name.
 
Reply With Quote
 
Garry Knight
Guest
Posts: n/a

 
      12-29-2007, 11:38 PM
CptDondo wrote:

> I'm getting this in my logs. No other explanation.
>
> SSH_brute_force IN=bond0 OUT=
> MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
> DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
> SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0

From the results of a 'whois' command:

remarks: **********************************************
remarks: * In case of hack attacks, scans etc. please *
remarks: * send abuse notifications to: *
remarks: * (E-Mail Removed) *
remarks: **********************************************

--
Garry Knight
(E-Mail Removed)
 
Reply With Quote
 
Henrik Uhrenfeldt
Guest
Posts: n/a

 
      01-24-2008, 03:46 PM
CptDondo wrote:
> I'm getting this in my logs. No other explanation.
>
> SSH_brute_force IN=bond0 OUT=
> MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
> DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
> SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0


May I recommend installing "denyhosts"? It will keep an eye on for
example SSH brute force attacks, and add those IP's to a blacklist
(hosts.deny) after for example 5 failed login attempts.

If ubuntu linux it's as simple as "apt-get install denyhosts" - it comes
preconfigured for SSH brute force.

- Henrik
 
Reply With Quote
 
 
 
Reply

« pktgen and VLAN frames | DNS, DHCPD setup: Strange named error in messages: prerequisite notsatisfied NXRRSET »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help: DHCP DoS Attack Hui Li Linux Networking 0 02-14-2012 07:26 AM
Possible attack? Anon E. Muss Linux Networking 13 12-02-2008 04:57 PM
Nike Air Force Ones,Air Force One Air Force One-1,25th anniversary lky52136@gmail.com Windows Networking 0 01-14-2008 07:45 PM
possible attack on my network stu hawk Broadband Hardware 1 02-13-2005 07:36 PM
SYN attack R.J. Rabenberg Wireless Internet 2 02-01-2004 05:16 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11