as mentioned yesterday.
I haven't looked into this, so please bear with me... I wondered if it
was possible to pool resources (a honeypot?) and/or knowledge in terms
of intrusion attempts, etc. Are the attacks that I receive (a lot of
dictionary/brute force attempts and proxy scans) part of someone/thing
simply scanning a range of Bitfolk IPs?
Would it not make sense to share this information or is this too much effort?
Cheers, Gerald
From andy@??? Thu May 10 17:32:18 2012
Received: from andy by mail.bitfolk.com with local (Exim 4.72)
(envelope-from <andy@???>) id 1SSXDt-0002Un-LF
for users@???; Thu, 10 May 2012 17:32:18 +0000
Date: Thu, 10 May 2012 17:32:17 +0000
From: Andy Smith <andy@???>
To: users@???
Message-ID: <20120510173217.GD3867@???>
References: <20120510162331.GG12360@???>
<CAEZ5awG8fG1vRx7dY-BWr3-x9qNnfRrzJ10sKR_tYE=Yc84-rA@???>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="IuJpT0rwbUevm2bB"
Content-Disposition: inline
In-Reply-To: <CAEZ5awG8fG1vRx7dY-BWr3-x9qNnfRrzJ10sKR_tYE=Yc84-rA@???>
OpenPGP: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
X-URL: http://strugglers.net/wiki/User:Andy
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
10 May 2012 17:32:17 +0000
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: andy@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd0.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN:
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS shortcircuit=no
autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] A gentle reminder again about protecting against SSH
dictionary attacks
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 17:32:18 -0000
--IuJpT0rwbUevm2bB
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Gerald,
On Thu, May 10, 2012 at 06:17:31PM +0100, Gerald Davies wrote:
> Are the attacks that I receive (a lot of dictionary/brute force
> attempts and proxy scans) part of someone/thing simply scanning a
> range of Bitfolk IPs?
They are scanning the entire Internet.
Actually when I do investigations of compromised hosts that have
been engaging in SSH scanning, if I'm lucky enough to find a
=2Ebash_history I often find that the tools used to do the scanning
are quite primitive and only accept IP ranges like:
x.y.z.*
x.y.*
i.e. not CIDR=B9 notation. I often find they've done things like
=2E/a 164.238
=2E/a 62.76
=2E/a 192.100
to scan against a few big blocks of addresses.
> Would it not make sense to share this information or is this too much eff=
ort?
Would the goal of this to be to block abusive hosts before they have
a few tries against your own host?
I can see a few tricky issues around the possibility of a bug,
mistake or hostile user injecting arbitrary IPs into the system
causing everyone to ban those IPs.
I can see how someone with multiple machines might want a site-wide
block list, but I'm not sure it is worth it for use by multiple
different admins. You'd have to put a lot of effort into securing
it. Seems easier to just protect yourself with the more conventional
ways.
Cheers,
Andy
=B9
http://en.wikipedia.org/wiki/CIDR#Subnet_masks
--=20
http://bitfolk.com/ -- No-nonsense VPS hosting
--IuJpT0rwbUevm2bB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk+r+6EACgkQIJm2TL8VSQt2jACgwB/TR97CPQBHbSV48Kq+KTmZ
SDoAoIZ23pioPzfRUq7+EKfQKjVkx8/l
=cDUm
-----END PGP SIGNATURE-----
--IuJpT0rwbUevm2bB--
From bitfolk-users@??? Thu May 10 17:36:17 2012
Received: from dogfood4.lampservers.net ([85.119.83.97])
by mail.bitfolk.com with esmtp (Exim 4.72)
(envelope-from <bitfolk-users@???>) id 1SSXHl-0002kj-Qr
for users@???; Thu, 10 May 2012 17:36:17 +0000
Received: from localhost (localhost [127.0.0.1])
by dogfood4.lampservers.net (Postfix) with ESMTP id 378CD281C5
for <users@???>; Thu, 10 May 2012 17:36:17 +0000 (UTC)
Received: from dogfood4.lampservers.net ([127.0.0.1])
by localhost (dogfood4.lampservers.net [127.0.0.1]) (amavisd-new,
port 10024) with ESMTP id 3SV0v0YLziDa for <users@???>;
Thu, 10 May 2012 17:36:16 +0000 (UTC)
Received: from [192.168.1.6] (cpc1-cmbg5-0-0-cust882.5-4.cable.virginmedia.com
[81.98.255.115]) (Authenticated sender: dom@???)
by dogfood4.lampservers.net (Postfix) with ESMTPSA id 6F9FD281C4
for <users@???>; Thu, 10 May 2012 17:36:16 +0000 (UTC)
Message-ID: <4FABFC8F.5060407@???>
Date: Thu, 10 May 2012 18:36:15 +0100
From: Dom Latter <bitfolk-users@???>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.24) Gecko/20100317 Thunderbird/2.0.0.24 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: users@???
References: <20120510162331.GG12360@???>
<20120510175044.29f33d38@derek>
In-Reply-To: <20120510175044.29f33d38@derek>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
10 May 2012 17:36:17 +0000
X-SA-Exim-Connect-IP: 85.119.83.97
X-SA-Exim-Mail-From: bitfolk-users@???
X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false
Subject: Re: [bitfolk] A gentle reminder again about protecting against SSH
dictionary attacks
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 17:36:18 -0000
On 10/05/12 17:50, James Stanley wrote:
> Just in case you are interested in statistics, I have been running
> Fail2Ban since May 2010 and since then I've had around 6.5k emails
> informing me that an address has been blocked, or about 9 attempts per
> *day*.
Is that all? /var/log/auth.log lists 13,965 failed passwords between
11:33 and 18:54 *yesterday*.
> I think your customers would be a lot more likely to install Fail2Ban
> if they knew just how common this sort of attack was.
These are my security measures:
PermitRootLogin no
AllowUsers foo bar baz
grep "Failed " /var/log/auth.log.0 | awk '{ print $11 }' | sort | uniq
-c | sort -V | less
shows where most of the attempts are going, very roughly sorted
into number of attempts. None of them use valid usernames for this
box.
In my opinion it's not worth getting worked up about.
If you are worried about *targeted* dictionary attacks, i.e.
someone going for *you* with thousands of passwords, rather
than thousands of machines with a handful of weak passwords,
th
