Компьютерный форум OSzone.net  

Компьютерный форум OSzone.net (http://forum.oszone.net/index.php)
-   Защита компьютерных систем (http://forum.oszone.net/forumdisplay.php?f=20)
-   -   Как меня ломали....забавно. (http://forum.oszone.net/showthread.php?t=49873)

Sox 30-05-2005 00:41 328452
Как меня ломали....забавно.
 
Заглянул сегодня в логи и вот что я там увидел:

May 29 22:26:49 pc174 sshd[5798]: Did not receive identification string from ::ffff:220.130.245.95
May 29 22:37:33 pc174 sshd[5817]: Failed password for root from ::ffff:220.130.245.95 port 39412 ssh2
May 29 22:37:36 pc174 sshd[5821]: Illegal user admin from ::ffff:220.130.245.95
May 29 22:37:36 pc174 sshd[5821]: error: Could not get shadow information for NOUSER
May 29 22:37:36 pc174 sshd[5821]: Failed password for illegal user admin from ::ffff:220.130.245.95 port 39487 ssh2
May 29 22:37:40 pc174 sshd[5823]: Illegal user test from ::ffff:220.130.245.95
May 29 22:37:40 pc174 sshd[5823]: error: Could not get shadow information for NOUSER
May 29 22:37:40 pc174 sshd[5823]: Failed password for illegal user test from ::ffff:220.130.245.95 port 39577 ssh2
May 29 22:37:43 pc174 sshd[5827]: Illegal user guest from ::ffff:220.130.245.95
May 29 22:37:43 pc174 sshd[5827]: error: Could not get shadow information for NOUSER
May 29 22:37:43 pc174 sshd[5827]: Failed password for illegal user guest from ::ffff:220.130.245.95 port 39654 ssh2
May 29 22:37:46 pc174 sshd[5831]: Illegal user webmaster from ::ffff:220.130.245.95
May 29 22:37:46 pc174 sshd[5831]: error: Could not get shadow information for NOUSER
May 29 22:37:46 pc174 sshd[5831]: Failed password for illegal user webmaster from ::ffff:220.130.245.95 port 39735 ssh2
May 29 22:37:50 pc174 sshd[5835]: Illegal user mysql from ::ffff:220.130.245.95
May 29 22:37:50 pc174 sshd[5835]: error: Could not get shadow information for NOUSER
May 29 22:37:50 pc174 sshd[5835]: Failed password for illegal user mysql from ::ffff:220.130.245.95 port 39827 ssh2
May 29 22:37:53 pc174 sshd[5837]: Illegal user oracle from ::ffff:220.130.245.95
May 29 22:37:53 pc174 sshd[5837]: error: Could not get shadow information for NOUSER
May 29 22:37:53 pc174 sshd[5837]: Failed password for illegal user oracle from ::ffff:220.130.245.95 port 39902 ssh2
May 29 22:37:56 pc174 sshd[5839]: Illegal user library from ::ffff:220.130.245.95
May 29 22:37:56 pc174 sshd[5839]: error: Could not get shadow information for NOUSER
May 29 22:37:56 pc174 sshd[5839]: Failed password for illegal user library from ::ffff:220.130.245.95 port 39988 ssh2
May 29 22:37:59 pc174 sshd[5841]: Illegal user info from ::ffff:220.130.245.95
May 29 22:37:59 pc174 sshd[5841]: error: Could not get shadow information for NOUSER
May 29 22:38:00 pc174 sshd[5841]: Failed password for illegal user info from ::ffff:220.130.245.95 port 40059 ssh2
May 29 22:38:03 pc174 sshd[5843]: Illegal user shell from ::ffff:220.130.245.95
May 29 22:38:03 pc174 sshd[5843]: error: Could not get shadow information for NOUSER
May 29 22:38:03 pc174 sshd[5843]: Failed password for illegal user shell from ::ffff:220.130.245.95 port 40148 ssh2
May 29 22:38:06 pc174 sshd[5845]: Illegal user linux from ::ffff:220.130.245.95
May 29 22:38:06 pc174 sshd[5845]: error: Could not get shadow information for NOUSER
May 29 22:38:06 pc174 sshd[5845]: Failed password for illegal user linux from ::ffff:220.130.245.95 port 40234 ssh2
May 29 22:38:10 pc174 sshd[5847]: Illegal user unix from ::ffff:220.130.245.95
May 29 22:38:10 pc174 sshd[5847]: error: Could not get shadow information for NOUSER
May 29 22:38:10 pc174 sshd[5847]: Failed password for illegal user unix from ::ffff:220.130.245.95 port 40314 ssh2
May 29 22:38:13 pc174 sshd[5849]: Illegal user webadmin from ::ffff:220.130.245.95
May 29 22:38:13 pc174 sshd[5849]: error: Could not get shadow information for NOUSER
May 29 22:38:13 pc174 sshd[5849]: Failed password for illegal user webadmin from ::ffff:220.130.245.95 port 40402 ssh2
May 29 22:38:16 pc174 sshd[5851]: Failed password for ftp from ::ffff:220.130.245.95 port 40477 ssh2
May 29 22:38:19 pc174 sshd[5853]: Illegal user test from ::ffff:220.130.245.95
May 29 22:38:19 pc174 sshd[5853]: error: Could not get shadow information for NOUSER
May 29 22:38:19 pc174 sshd[5853]: Failed password for illegal user test from ::ffff:220.130.245.95 port 40558 ssh2
May 29 22:38:23 pc174 sshd[5855]: Failed password for root from ::ffff:220.130.245.95 port 40647 ssh2
May 29 22:38:26 pc174 sshd[5857]: Illegal user admin from ::ffff:220.130.245.95
May 29 22:38:26 pc174 sshd[5857]: error: Could not get shadow information for NOUSER
May 29 22:38:26 pc174 sshd[5857]: Failed password for illegal user admin from ::ffff:220.130.245.95 port 40724 ssh2
May 29 22:38:29 pc174 sshd[5861]: Illegal user guest from ::ffff:220.130.245.95
May 29 22:38:29 pc174 sshd[5861]: error: Could not get shadow information for NOUSER
May 29 22:38:29 pc174 sshd[5861]: Failed password for illegal user guest from ::ffff:220.130.245.95 port 40814 ssh2
May 29 22:38:33 pc174 sshd[5863]: Illegal user master from ::ffff:220.130.245.95
May 29 22:38:33 pc174 sshd[5863]: error: Could not get shadow information for NOUSER
May 29 22:38:33 pc174 sshd[5863]: Failed password for illegal user master from ::ffff:220.130.245.95 port 40887 ssh2
May 29 22:38:36 pc174 sshd[5865]: Illegal user apache from ::ffff:220.130.245.95
May 29 22:38:36 pc174 sshd[5865]: error: Could not get shadow information for NOUSER
May 29 22:38:36 pc174 sshd[5865]: Failed password for illegal user apache from ::ffff:220.130.245.95 port 40974 ssh2
May 29 22:38:39 pc174 sshd[5867]: Failed password for root from ::ffff:220.130.245.95 port 41058 ssh2
May 29 22:38:42 pc174 sshd[5869]: Failed password for root from ::ffff:220.130.245.95 port 41136 ssh2
May 29 22:38:46 pc174 sshd[5871]: Failed password for root from ::ffff:220.130.245.95 port 41223 ssh2
May 29 22:38:49 pc174 sshd[5873]: Failed password for root from ::ffff:220.130.245.95 port 41306 ssh2
May 29 22:38:52 pc174 sshd[5875]: Failed password for root from ::ffff:220.130.245.95 port 41382 ssh2
May 29 22:38:55 pc174 sshd[5877]: Failed password for root from ::ffff:220.130.245.95 port 41465 ssh2

Sox 30-05-2005 00:47 328455
May 29 23:34:56 pc174 sshd[6362]: Failed password for root from ::ffff:67.161.209.50 port 57021 ssh2
May 29 23:35:04 pc174 sshd[6364]: Failed password for root from ::ffff:67.161.209.50 port 57128 ssh2
May 29 23:35:09 pc174 sshd[6375]: Failed password for root from ::ffff:67.161.209.50 port 57255 ssh2
May 29 23:35:14 pc174 sshd[6377]: Failed password for root from ::ffff:67.161.209.50 port 57333 ssh2
May 29 23:35:22 pc174 sshd[6379]: Failed password for root from ::ffff:67.161.209.50 port 57409 ssh2
May 29 23:35:27 pc174 sshd[6381]: Failed password for root from ::ffff:67.161.209.50 port 57533 ssh2
May 29 23:35:36 pc174 sshd[6383]: Failed password for root from ::ffff:67.161.209.50 port 57610 ssh2
May 29 23:35:41 pc174 sshd[6385]: Failed password for root from ::ffff:67.161.209.50 port 57737 ssh2
May 29 23:35:48 pc174 sshd[6387]: Illegal user carol from ::ffff:67.161.209.50
May 29 23:35:48 pc174 sshd[6387]: error: Could not get shadow information for NOUSER
May 29 23:35:48 pc174 sshd[6387]: Failed password for illegal user carol from ::ffff:67.161.209.50 port 57818 ssh2
May 29 23:35:55 pc174 sshd[6393]: Illegal user cesar from ::ffff:67.161.209.50
May 29 23:35:55 pc174 sshd[6393]: error: Could not get shadow information for NOUSER
May 29 23:35:55 pc174 sshd[6393]: Failed password for illegal user cesar from ::ffff:67.161.209.50 port 57931 ssh2
May 29 23:36:03 pc174 sshd[6395]: Illegal user clark from ::ffff:67.161.209.50
May 29 23:36:03 pc174 sshd[6395]: error: Could not get shadow information for NOUSER
May 29 23:36:03 pc174 sshd[6395]: Failed password for illegal user clark from ::ffff:67.161.209.50 port 58040 ssh2
May 29 23:36:08 pc174 sshd[6397]: Illegal user clinton from ::ffff:67.161.209.50
May 29 23:36:08 pc174 sshd[6397]: error: Could not get shadow information for NOUSER
May 29 23:36:08 pc174 sshd[6397]: Failed password for illegal user clinton from ::ffff:67.161.209.50 port 58162 ssh2
May 29 23:36:13 pc174 sshd[6399]: Illegal user kayla from ::ffff:67.161.209.50
May 29 23:36:13 pc174 sshd[6399]: error: Could not get shadow information for NOUSER
May 29 23:36:13 pc174 sshd[6399]: Failed password for illegal user kayla from ::ffff:67.161.209.50 port 58245 ssh2
May 29 23:36:18 pc174 sshd[6401]: Illegal user russ from ::ffff:67.161.209.50
May 29 23:36:18 pc174 sshd[6401]: error: Could not get shadow information for NOUSER
May 29 23:36:18 pc174 sshd[6401]: Failed password for illegal user russ from ::ffff:67.161.209.50 port 58322 ssh2
May 29 23:36:23 pc174 sshd[6403]: Illegal user white from ::ffff:67.161.209.50
May 29 23:36:23 pc174 sshd[6403]: error: Could not get shadow information for NOUSER
May 29 23:36:23 pc174 sshd[6403]: Failed password for illegal user white from ::ffff:67.161.209.50 port 58393 ssh2

Самое интеpесное то, что сеpвис ssh в файpволе поставлен как "запpещен".
:-)

mar 30-05-2005 00:53 328458
это программный подбор. Я, после того, как однажды на такое полюбовалась, разрешила для sshd только один порт, только для определенных юзеров и только с определенных ip. (Ну, не говоря уж о правилах ipfw и portsentry).
Ну и, понятно, никаких root по ssh быть не должно :)

Кстати, обе машины из логов вполне реальные. Судя по тому, что на них сайты (причем на Тайваньской довольно интересный внешне) - хулиганил кто-то, имеющий туда доступ - вряд ли админ :)) и не очень похоже, чтобы столь экстровагантно подставляли ip. Так что если достали - напиши их админам - пусть разбирутся :]

Sox 30-05-2005 01:09 328465
mar
А как бы можно было отpегулиpовать сеpвис в нужную стоpону - для оределенных ip и людей?

mar 30-05-2005 01:22 328467
Sox
/etc/ssh/sshd_config (на разных системах может быть в разных местах, а может и называться немного по-разному)
вставляем:
Port [номер порта, пусть тот же 22]
LoginGraceTime 10 ## кто не успел, тот опоздал
PermitRootLogin no ## никаких рутов!!
PermitEmptyPasswords no ## естественно
AllowUsers Sox ## только этому пользователю

/etc/hosts.allow
# hosts.allow access control file for "tcp wrapped" applications.
#sshd : localhost : allow
sshd : 127.0.0.1, localhost : allow ## только с этих ip
sshd: xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy, zzz.zzz.zzz.zzz : allow ## только с этих ip
sshd: ALL : deny ## с остальных не принимаем

Sox 30-05-2005 06:51 328505
mar
Спасибо! ;)

TbMA 31-05-2005 20:01 328999
>mar: Кстати, обе машины из логов вполне реальные. Судя по тому, что на них сайты
Ну так он до 2го пришествия ломать будет. :D
Хотя может корейцев он так и сломал, они там любят юзера "админ" с паролем "пассворд". ;)

Sox 01-06-2005 07:54 329079
Цитата:
Ну так он до 2го пришествия ломать будет. :-D
TbMA
Не знаю...меня смутило их упорство - раз не взломали, второй, а на 11-ий, глядишь, и достанут...хоть какой будет пароль...

IgorK 01-06-2005 13:01 329169
Я, к примеру, использую аутентификацию по ключу...

mar 01-06-2005 18:06 329269
IgorK
это тоже медаль с двумя сторонами: представь, что взломали машину, на которой у тебя лежат ключи к разным серверам. Представил ;]?


Время: 18:20.

Время: 18:20.
© OSzone.net 2001-