I have sshd running on my Linux box (Debian distro). The router routs all ssh requests to that box only. I was looking in my logs for some reason, and I saw the following in auth.log:
Jun 12 14:13:04 localhost sshd: Illegal user play from 188.8.131.52
Jun 12 14:13:05 localhost sshd: Illegal user open from 184.108.40.206
Jun 12 14:13:07 localhost sshd: Illegal user dulap from 220.127.116.11
Jun 12 14:13:09 localhost sshd: Illegal user if from 18.104.22.168
Jun 12 14:13:10 localhost sshd: Illegal user uk from 22.214.171.124
Jun 12 14:13:12 localhost sshd: Illegal user us from 126.96.36.199
Jun 12 14:13:14 localhost sshd: Illegal user alinus from 188.8.131.52
Jun 12 14:13:15 localhost sshd: Illegal user rumeno from 184.108.40.206
Jun 12 14:13:17 localhost sshd: Illegal user it from 220.127.116.11
It goes on and on. Looking back, this happens to me a lot, and not always from the same IP. runnig grep on the whole log directory, the lame-ass scripts don’t try any of my actual user names, so I don’t even know what it would try to do if it found a valid username - brute force the password maybe?
Anyway, this annoys me, and it seems like this would be against most provider’s terms and conditions. Is there any way I can try to notify the providers that there are users not playing nice? I would love to get some of these punks kicked off of their service or something. Or is it not even worth the hassle?
Any script kiddie worth the name will be doing this from other machines that have already been comprimised or public computers, not directly from their own connection. Of course, it would be nice to let the owners of the robots know they need to clean house.
Yeah, it would be nice to let people know that their computer is a zombie, but I have no idea how I would go about doing it. I’m sure an ISP would not give out an email address based on an IP address that’s probably dynamic and could have changed already. I also have no way of knowing if I’m just seeing a router on a company network or something. I don’t think I’m going to bother.
I may implement some sort of port-knocking sollution, like this one [linuxjournal.com]. Derleth, I think this this would actually increase my security quite a bit. Apparently there are knocking clients that will connect to your knock ports to open port 22, and can also knock other ports to close 22 again when you’re done. Might be overkill, but doesn’t seem like a lot of work. It’s my personal machine, so I don’t really have to worry about making it available to other users.
One last question - what’s the easiest way to see if I’m being port-scanned? I would be especially interested in seeing if people are trying to connect to daemons that I don’t even realize I have running. I’m finding Debian to be quite easy to work with, but it definitely installs and runs a lot more services out of the box than Gentoo did. That’s the trade-off, I guess.
Tower Dweller: That port-knocking solution looks good. It’s the equivalent of a second password, though, with all the good and bad that entails: If a lot of people use the same sequence, the bad guys will learn it and invalidate the scheme. The up-side is that sequences should be more difficult to guess: There’s no dictionary they can look through to aid brute-forcing.