Security

[AlexKall]

I've had my VPS up for about two days now and when I checked my loggs i found this:

sshd:
Authentication Failures:
root (2a.94.5646.static.theplanet.com): 347 Time(s)
unknown (201.6.101.183): 238 Time(s)

I would just want to tank Jag for that great security guide they put as a sticky in here! I think it helped prevent them from getting access!

Now to my question, is it vice to report this to "theplanet.com"? They seem to be providers of hosting services and possibly ISP services. Also can I add a "2a.94.5646.static.theplanet.com" type address to be blocked, or is it IPs only?

[jason]

You can easily find the IP from the name by doing an nslookup. From the Windows/Linux/MAc OSX command line just type

Code:

nslookup 2a.94.5646.static.t heplanet.com

There are also several websites that offer such a feature, such as http://www.kloth.net/services/nslookup.php.

In the case of this name, nslookup returns the following:

Code:

Server:         69.73.130.223
Address:        69.73.130.223#53

Non-authoritative answer:
Name:   2a.94.5646.static.theplanet.com
Address: 70.86.148.42

The output you get may vary depending on what system you use to get it. In this case the last line, "Address: 70.86.148.42" shows you the IP for the name you posted.

As far as reporting, my guess is that someone was probably trying to run a dictionary attack against you (hence the high number of attempts from a single IP). Do you have the full logs of what happened? If all 300+ attemps happened in just a few minutes the attacker probably gave up. If the attempts appear to be more methodical then someone may be up something. It is really up to you WRT what to do. My past experience tells me that reporting things to ISP's usually doesn't get you anywhere, but it doesn't hurt to try. If the attempt appears to be more sinister than someone just trying to guess your password then I would consider reporting the incident(s) to the authorities.

--Jason

--Jason

[AlexKall]

Unfortently I had logwatch at low at the moment, I had gone to bed and for some odd reason there ware no logwatch conf (which is weird) so I couldnt change that parameter. But its changed now so im ready if it happens again (hopefully without the person compleeting his task)

Thanks alot for the input!

By the way, how do you block an IP? Thats something i've never lernt how to do (even though its a really important thing to know)

[JPC-Greg]

We get things like this reported to us so yes go ahead and report it to theplanet. Its most likely a comprimised box on their network being abused to try and get into others to abuse.

[Eric]

The BFD package, which is mentioned in the security link, will automatically block these types of intrusions. It can be used in conjuction with APF or you can set it to use iptables directly. Below is an iptables to block a user:

/sbin/iptables -A INPUT -s IP_TO_BLOCK -j DROP

[AlexKall]

Thank you both very much!

[cef]

You might also want to save the chain every time you add an IP to block. That way, when your vps reboots (or you stop and restart iptables), you don't lose all the IPs you previously blocked. My BFD "block" command looks like this:

/sbin/iptables -A INPUT -s IP_TO_BLOCK -j DROP; /sbin/service iptables save

The only difference from the one Eric posted is the added semicolon followed by the call to save the iptables data.

[AlexKall]

Thank you very much, just reinstalled my vps so i will have to redo everything again heh

[cef]

Thank you very much, just reinstalled my vps so i will have to redo everything again heh

You might want to consider backing up the iptables data to somewhere offsite daily via a cronjob. That way, if your vps is actually wiped (as opposed to just rebooted), you'll be able to reimport all your saved rules.

There's some good info about the iptables configuration (and data) file here:

http://www.centos.org/docs/3/rhel-rg...es-saving.html

(mind you, I'm no expert, I learned all this by recently by reading/experimenting too!)

[AlexKall]

Yeah experementing is in my mind the best way to lern (with a bit of reading of course )

And thank you for that tip, seems like a vice thing to do!

[AlexKall]

How would i go about to report the below incidents to the authorities?
And where should i turn with this? Or is this not enough to report?
Would also like to add the I live in Sweden and the persons IP is residing in Germany

Illegal users from:
64.40.108.18 (wec.netcastor.com): 26 times
demo/password: 11 times
cpdemo/password: 10 times
cpanel/password: 4 times
cpnael/password: 1 time
125.95.18.34: 3 times
recruit/password: 1 time
sales/password: 1 time
staff/password: 1 time
213.202.214.51 (ns2.zor.in): 779 times
robert/password: 12 times
adam/password: 7 times
andy/password: 7 times
brian/password: 7 times
carol/password: 7 times
chloe/password: 7 times
chris/password: 7 times
chuck/password: 7 times
craig/password: 7 times
dan/password: 7 times
dave/password: 7 times
diana/password: 7 times
dirk/password: 7 times
donna/password: 7 times
doug/password: 7 times
dylan/password: 7 times
elvis/password: 7 times
eric/password: 7 times
fax/password: 7 times
felix/password: 7 times
ford/password: 7 times
frank/password: 7 times
ftpuser/password: 7 times
guest/password: 7 times
harry/password: 7 times
helen/password: 7 times
jack/password: 7 times
jacob/password: 7 times
james/password: 7 times
jeff/password: 7 times
jenny/password: 7 times
jerry/password: 7 times
jim/password: 7 times
joe/password: 7 times
john/password: 7 times
josh/password: 7 times
julia/password: 7 times
julie/password: 7 times
keith/password: 7 times
kelly/password: 7 times
kim/password: 7 times
larry/password: 7 times
laura/password: 7 times
lee/password: 7 times
linda/password: 7 times
lisa/password: 7 times
louis/password: 7 times
lucky/password: 7 times
mark/password: 7 times
marty/password: 7 times
mary/password: 7 times
matt/password: 7 times
mike/password: 7 times
nancy/password: 7 times
office/password: 7 times
paul/password: 7 times
peter/password: 7 times
ricky/password: 7 times
robin/password: 7 times
roger/password: 7 times
roy/password: 7 times
sales/password: 7 times
sam/password: 7 times
sandy/password: 7 times
sarah/password: 7 times
sasha/password: 7 times
scott/password: 7 times
sonny/password: 7 times
steve/password: 7 times
tanya/password: 7 times
temp/password: 7 times
tim/password: 7 times
tony/password: 7 times
tracy/password: 7 times
user/password: 7 times
adrian/password: 6 times
cheryl/password: 6 times
client/password: 6 times
david/password: 6 times
freddy/password: 6 times
gregory/password: 6 times
jason/password: 6 times
jessica/password: 6 times
jessie/password: 6 times
justin/password: 6 times
kevin/password: 6 times
kristen/password: 6 times
leslie/password: 6 times
library/password: 6 times
louise/password: 6 times
mailer/password: 6 times
mailtest/password: 6 times
marcus/password: 6 times
martin/password: 6 times
natasha/password: 6 times
nikita/password: 6 times
oracle/password: 6 times
patricia/password: 6 times
patrick/password: 6 times
postgres/password: 6 times
public/password: 6 times
richard/password: 6 times
sabrina/password: 6 times
service/password: 6 times
sharon/password: 6 times
stacey/password: 6 times
stanley/password: 6 times
steven/password: 6 times
student/password: 6 times
susan/password: 6 times
testuser/password: 6 times
tiffany/password: 6 times
vincent/password: 6 times
webmaster/password: 6 times
test/password: 5 times
admin/password: 3 times
firstdiv/password: 1 time
imail/password: 1 time
inweb/password: 1 time
muonline/password: 1 time
neoway/password: 1 time
smile/password: 1 time
soutec/password: 1 time

[cef]

Greg or Eric or any other "Jag" -- should we report any IPs to you guys?

I've been getting a few of these a day myself, and no one knows I'm here (I only put a working site up today), so people must be scanning your IP range a lot!

[rainboy]

AlexKall,

Get those on our VPS a lot as well, but mostly only report the people who keep coming back more as once and really might be a threat to our services, but most providers do have a policy on not abusing their network for these activities (also JaguarPC does). So if they really annoy you, and bring your services in danger, you might consider to do a lookup on owner of the IP address and ask them to take a look into it.

Also please note that most owners of these systems are not aware of what is happening, mostly they are hacked themselves or they are infected by viruses or trojans.

In general when you decide to report they will ask you more detailed logs (incl. Time & Date). The above logging is more to have a quick view on what happens on your system.

To view IP address owners:

APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region
>> http://www.apnic.net/

ARIN (American Registry for Internet Numbers) - Americas and Sub-Sahara Africa
>> http://www.arin.net/

LACNIC (Regional Latin-American and Caribbean IP Address Registry) – Latin America and some Caribbean Islands
>> http://lacnic.net/en/index.html

RIPE NCC (Réseaux IP Européens) - Europe, the Middle East, Central Asia, and African countries located north of the equator
>> http://www.ripe.net/

I don't think reporting these IP's to JPC will help, unless they use this data to set up their firewalls. (i can think of a lot of pro's and con's for using the data to protect the whole network). But i am sure one of the JPC workers can enlighten you more about this.

Hope this helps,

Kind regards,

Patrick

[AlexKall]

I'll see if i can report this to the German company

Thank you for your input, and I do see a point in only reporting those that repeats this behaviour. But I also see a point in reporting it even if it only happens once, as this might help prevent them from attacking others, but I think thats only possible for smaller number of clients as its a time consuming process. Its hard to know whats best.

[rainboy]

AlexKall,

I did report one last week, from another VPS i got, and a week later the company came back to tell they informed the client, and that his machine was hacked. And that the problem has been solved. So it can work.

Problem is if i need to report EVERY single 'try' out our server i would have a full-time job processing these abuse reports. I would love to hear of a system which can automate this for us, or even an organisation which takes care of this. (maybe i should start a company doing this? for a small fee, anything to make the internet a better place). Just like anti-spam list, a anti-abuse list which share its blocked IP's with other interested parties. Problem is you might lock out potential new customers because they don't have a clue their system is compromised.

Kind regards,
Patrick