A dictionnary attack in the logs
From China, with something less than love, and why I like the Linux reporting tools...
It’s always interesting to take a look at your logs and see when crap is being thrown at you. Case in point, here’s a little sample from last day’s report on my web server:
sshd:
Authentication Failures:
unknown (61.55.135.4): 6847 Time(s)
root (61.55.135.4): 223 Time(s)
operator (61.55.135.4): 66 Time(s)
mysql (61.55.135.4): 54 Time(s)
mail (61.55.135.4): 50 Time(s)
root (218.248.240.190): 50 Time(s)
ftp (61.55.135.4): 42 Time(s)
postfix (61.55.135.4): 14 Time(s)
root (125.210.34.228): 13 Time(s)
apache (61.55.135.4): 8 Time(s)
unknown (125.210.34.228): 8 Time(s)
news (61.55.135.4): 4 Time(s)
nobody (61.55.135.4): 4 Time(s)
adm (61.55.135.4): 3 Time(s)
sshd (61.55.135.4): 3 Time(s)
apache (125.210.34.228): 2 Time(s)
dovecot (61.55.135.4): 2 Time(s)
mysql (125.210.34.228): 2 Time(s)
games (61.55.135.4): 1 Time(s)
lp (61.55.135.4): 1 Time(s)
sync (61.55.135.4): 1 Time(s)
vcsa (61.55.135.4): 1 Time(s)
Invalid Users:
Unknown Account: 6855 Time(s)
Wow. Talk about persistent. That 61.55.x.x address is from China (traceroute let me follow the thing up to something beyond a .cn device), and a nice exercise in futility, if there is such a thing. It’s funny to see that he/she/it tried the dictionnary approach for the root account, specially when I have a tutorial on how to disable SSH access for root on the site, and I practice what I preach. I’ve actually started adding CIDR address blocks to my firewall from known bad subnet groups from that region.
It’s interesting to see the changes, used to be that I’d get a lot of stuff from eastern Europe countries, but now I get more crap China. I set my firewall to block the packets originating from that address, so they’ll just be dropped on the wan side of things, without the attacker getting a reject notice. Still, it’s kind of a pain.
Speaking of chinese traffic, I’m actually also seeing some fallout from the recent Google/Chinese government clash in my web stats:
sshd:
Authentication Failures:
unknown (61.55.135.4): 6847 Time(s)
root (61.55.135.4): 223 Time(s)
operator (61.55.135.4): 66 Time(s)
mysql (61.55.135.4): 54 Time(s)
mail (61.55.135.4): 50 Time(s)
root (218.248.240.190): 50 Time(s)
ftp (61.55.135.4): 42 Time(s)
postfix (61.55.135.4): 14 Time(s)
root (125.210.34.228): 13 Time(s)
apache (61.55.135.4): 8 Time(s)
unknown (125.210.34.228): 8 Time(s)
news (61.55.135.4): 4 Time(s)
nobody (61.55.135.4): 4 Time(s)
adm (61.55.135.4): 3 Time(s)
sshd (61.55.135.4): 3 Time(s)
apache (125.210.34.228): 2 Time(s)
dovecot (61.55.135.4): 2 Time(s)
mysql (125.210.34.228): 2 Time(s)
games (61.55.135.4): 1 Time(s)
lp (61.55.135.4): 1 Time(s)
sync (61.55.135.4): 1 Time(s)
vcsa (61.55.135.4): 1 Time(s)
Invalid Users:
Unknown Account: 6855 Time(s)
Wow. Talk about persistent. That 61.55.x.x address is from China (traceroute let me follow the thing up to something beyond a .cn device), and a nice exercise in futility, if there is such a thing. It’s funny to see that he/she/it tried the dictionnary approach for the root account, specially when I have a tutorial on how to disable SSH access for root on the site, and I practice what I preach. I’ve actually started adding CIDR address blocks to my firewall from known bad subnet groups from that region.
It’s interesting to see the changes, used to be that I’d get a lot of stuff from eastern Europe countries, but now I get more crap China. I set my firewall to block the packets originating from that address, so they’ll just be dropped on the wan side of things, without the attacker getting a reject notice. Still, it’s kind of a pain.
Speaking of chinese traffic, I’m actually also seeing some fallout from the recent Google/Chinese government clash in my web stats:
Robots/Spiders visitors (Top 10) - | Full list - Last visit |
| 5 different robots* Hits Bandwidth Last visit 26 BSpider 1 0+1 1 Yandex bot 1 | |
The BaiDu spider shows up more frequently now. That’s a fairly high amount of traffic, considering the traces left by the other bots. I’ll keep a closer eye on this.
Bottom line: watch your logs and man your firewall. And network security is a never ending task.