I have a couple of servers that sit out on the Internet, and every day I get a little report on how they are doing, and if someone is trying to break in to them. Today I got this report;

sshd:
Authentication Failures:
root (121.100.48.130): 1353 Time(s)
unknown (121.100.48.130): 1148 Time(s)
root (61.168.227.12): 582 Time(s)
root (125.141.237.100): 165 Time(s)
root (180.68.206.31): 99 Time(s)
unknown (125.141.237.100): 93 Time(s)
unknown (61.168.227.12): 60 Time(s)
unknown (180.68.206.31): 42 Time(s)
root (222.211.78.20): 23 Time(s)
adm (121.100.48.130): 6 Time(s)
bin (121.100.48.130): 3 Time(s)
dbus (121.100.48.130): 3 Time(s)
ftp (121.100.48.130): 3 Time(s)
games (121.100.48.130): 3 Time(s)
gopher (121.100.48.130): 3 Time(s)
halt (121.100.48.130): 3 Time(s)
lp (121.100.48.130): 3 Time(s)
mail (121.100.48.130): 3 Time(s)
mailnull (121.100.48.130): 3 Time(s)
mysql (121.100.48.130): 3 Time(s)
mysql (125.141.237.100): 3 Time(s)
named (121.100.48.130): 3 Time(s)
news (121.100.48.130): 3 Time(s)
nobody (121.100.48.130): 3 Time(s)
nscd (121.100.48.130): 3 Time(s)
operator (121.100.48.130): 3 Time(s)
pcap (121.100.48.130): 3 Time(s)
root (123.30.98.50): 3 Time(s)
rpc (121.100.48.130): 3 Time(s)
shutdown (121.100.48.130): 3 Time(s)
smmsp (121.100.48.130): 3 Time(s)
sshd (121.100.48.130): 3 Time(s)
sync (121.100.48.130): 3 Time(s)
unknown (222.211.78.20): 3 Time(s)
uucp (121.100.48.130): 3 Time(s)
nfsnobody (121.100.48.130): 2 Time(s)
rpcuser (121.100.48.130): 2 Time(s)
haldaemon (121.100.48.130): 1 Time(s)
unknown (123.30.98.50): 1 Time(s)

The biggest offender is of course 121.100.48.130 which I was surprised to see was Afghan Wireless. Nothing like being hacked from some jerkoff halfway around the world where my tax dollars are most likely feeding his family. The other joker is 61.168.227.12 from China Unicom Henan province network. Did you guys not learn from hacking Google? If I wasn’t so extremely tired from work I’d care more about this. 1347 attempted breakins in a single day. The lesson of the day is to use secure passwords and also to use automatic lockout systems so that pretty much none of their attempts would have worked out.

The tool for today is DenyHosts which is an opensource python script that can watch for SSH attacks and block the IPs for a period of time or forever. It allows you to sync your blocks with their server, and receive a list of blocked hosts from other DenyHosts users. Definately worth checking out. They work on CentOS, but also OS X, Fedora, Mandrake, FreeBSD, OpenBSD, and SuSE.

 

Advertisements