8 posts in this topic

Posted

are on my server? I just noticed the same ip that I'm not familiar access different accounts. Is it really that easy to get user accounts from the app?

Share this post


Link to post
Share on other sites

Posted

AS far as I know you have to build the accounts and then give access.

Share this post


Link to post
Share on other sites

Posted

yah you have to be able to give them accounts unless you man anonymous sign in account...make sure you do not have those. Your server should be able to see everyone that signed on.

Share this post


Link to post
Share on other sites

Posted

Yeah its fairly simple to try admin, root, testuser, billy, bobby, nobody, etc.. etc. They just run through the list trying random passwords as well.

Any ftp server you put on the net is going to see this noise.

What was this top secret username they found? - ftpuser? ;)

Share this post


Link to post
Share on other sites

Posted

For some reason the last half of my lastb log has no usernames or passwords :s but here's part of it to compare with;

aachu ssh:notty 122.55.83.138 Mon Aug 6 17:34 - 17:34 (00:00)

sales ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)

staff ssh:notty 211.155.233.147 Sun Aug 5 16:29 - 16:29 (00:00)

root ssh:notty 213.229.93.218 Sun Aug 5 13:31 - 13:31 (00:00)

root ssh:notty 184.105.154.38 Sun Aug 5 09:44 - 09:44 (00:00)

aaron ssh:notty 211.144.158.130 Fri Aug 3 14:20 - 14:20 (00:00)

root ssh:notty 31.222.158.83 Fri Aug 3 10:12 - 10:12 (00:00)

uucps ssh:notty 176.10.238.79 Thu Aug 2 07:34 - 07:34 (00:00)

root ssh:notty 86.140.51.159 Wed Aug 1 08:29 - 08:29 (00:00)

root ssh:notty 115.144.181.19 Wed Aug 1 01:37 - 01:37 (00:00)

root ssh:notty 203.162.163.160 Tue Jul 31 03:13 - 03:13 (00:00)

root ssh:notty 195.22.8.226 Tue Jul 31 02:45 - 02:45 (00:00)

root ssh:notty 119.254.88.100 Mon Jul 30 20:49 - 20:49 (00:00)

dpnroot ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)

root ssh:notty 210.14.64.88 Mon Jul 30 14:34 - 14:34 (00:00)

root ssh:notty 66.135.61.57 Sun Jul 29 11:52 - 11:52 (00:00)

root ssh:notty 210.14.64.68 Sun Jul 29 07:42 - 07:42 (00:00)

root ssh:notty 94.23.72.122 Sun Jul 29 00:40 - 00:40 (00:00)

root ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

bin ssh:notty 213.206.86.210 Sat Jul 28 12:06 - 12:06 (00:00)

Share this post


Link to post
Share on other sites

Posted

what? See plenty of usernames there - sales, staff, root.

Where did you pull those logs? Yeah they can go on for hundreds if not thousands of attempts from the same IP. Which is why you normally don't allow username password auth on something you want to secure - unless your going to lock it down to source IP.

my ssh server is locked to public key auth only. And sshguard kills them after 4 attempts anyway to keep the logs cleaner.


Oct  1 00:15:43 ubuntu sshguard[1219]: Blocking 200.141.223.78:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).

Oct  2 05:16:21 ubuntu sshguard[1219]: Blocking 211.155.229.103:4 for >630secs: 40 danger in 4 attacks over 1167 seconds (all: 40d in 1 abuses over 1167s).

Oct  2 10:37:04 ubuntu sshguard[1219]: Blocking 98.126.49.26:4 for >630secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).

Oct  2 12:04:59 ubuntu sshguard[1219]: Blocking 211.144.158.130:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).

Oct  3 03:14:46 ubuntu sshguard[1219]: Blocking 187.5.66.12:4 for >630secs: 40 danger in 4 attacks over 39 seconds (all: 40d in 1 abuses over 39s).

Oct  3 15:34:39 ubuntu sshguard[1219]: Blocking 194.65.138.9:4 for >630secs: 40 danger in 4 attacks over 186 seconds (all: 40d in 1 abuses over 186s).

Oct  4 07:08:48 ubuntu sshguard[1219]: Blocking 210.118.169.5:4 for >630secs: 40 danger in 4 attacks over 26 seconds (all: 40d in 1 abuses over 26s).

Oct  4 08:24:41 ubuntu sshguard[1219]: Blocking 189.26.255.11:4 for >630secs: 40 danger in 4 attacks over 1 seconds (all: 40d in 1 abuses over 1s).

Oct  4 08:58:46 ubuntu sshguard[1219]: Blocking 91.205.189.15:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s).

Oct  4 10:00:21 ubuntu sshguard[1219]: Blocking 201.83.151.207:4 for >630secs: 40 danger in 4 attacks over 171 seconds (all: 40d in 1 abuses over 171s).

Share this post


Link to post
Share on other sites

Posted

My server :p

I've got sshguard on but it isn't actually active because the traffics redirected to SNORT instead and I still haven't worked out how to reinject certain SNORT packets back into iptables to sshguard :/ although SNORT does seem to block access for about 20 minutes if more than 2 connections in that time happen, again not really sure why it does that but I'm fine with it doing that haha.

Share this post


Link to post
Share on other sites

Posted

Budman, I'm probably just going to lock it down by ip. I don't see really another way of handling it since I do want to use username / passwords

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.