chyba mam mały włam :-)

marcin steć marcinek w nea.pl
Czw, 21 Paź 2004, 23:00:22 CEST 

W /var/log/secure właśnie znalazłem toto:

Oct 21 22:36:32 vanish sshd[3532]: Illegal user rolo from 
::ffff:65.198.47.75
Oct 21 22:36:32 vanish sshd[3532]: input_userauth_request: illegal user rolo
Oct 21 22:36:37 vanish sshd[3532]: Address 65.198.47.75 maps to 
host75.ironhide.
com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Oct 21 22:36:37 vanish sshd[3532]: error: Could not get shadow 
information for N
OUSER
Oct 21 22:36:37 vanish sshd[3532]: Failed password for illegal user rolo 
from ::
ffff:65.198.47.75 port 44814 ssh2
Oct 21 22:36:37 vanish sshd[3532]: Received disconnect from 
::ffff:65.198.47.75:
 11: Bye Bye
Oct 21 22:36:39 vanish sshd[3533]: Illegal user iceuser from 
::ffff:65.198.47.75
Oct 21 22:36:39 vanish sshd[3533]: input_userauth_request: illegal user 
iceuser
Oct 21 22:36:39 vanish sshd[3533]: Address 65.198.47.75 maps to 
host75.ironhide.
com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
Oct 21 22:36:39 vanish sshd[3533]: error: Could not get shadow 
information for N
OUSER

Kurtuazyjnie puściłem namapa pod ten adres, ale nie wyszło nic ciekawego:
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-10-21 22:48 
CEST
Warning:  OS detection will be MUCH less reliable because we did not 
find at least 1 open and 1 closed TCP port
Interesting ports on host75.ironhide.com (65.198.47.75):
(The 1662 ports scanned but not shown below are in state: filtered)
PORT   STATE SERVICE
22/tcp open  ssh
Device type: broadband router|router|general purpose
Running: Conexant embedded, Draytek embedded, FreeSCO Linux 2.0.X, Linux 
2.4.X|2.5.X, Siemens embedded
Too many fingerprints match this host to give specific OS details
Uptime 62.033 days (since Fri Aug 20 22:04:43 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 224.000 seconds


Tak sobie się zastanawiam jaki byłby zestaw regułek iptables, żęby się 
natręta pozbyć...
W zasadzi z zewnątrz to mam potrzebę wjechać wyłącznie po ssh. Porblem w 
tym, że mam
jedną kartę, i na niej ip dynamiczne z kablówki i statyczne do 
rozmawiania z kilkoma vmwarami. Maszyna robi też z gateway dla tychże 
vmów. Dotychczasowe regułki to:

[root w vanish /root]# 
iptables-save                                            
# Generated by iptables-save v1.2.11 on Thu Oct 21 22:58:58 2004
*nat
:PREROUTING ACCEPT [15447:811805]
:POSTROUTING ACCEPT [30923:1588841]
:OUTPUT ACCEPT [30939:1592202]
-A POSTROUTING -s 172.16.80.0/255.255.240.0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 21 22:58:58 2004
# Generated by iptables-save v1.2.11 on Thu Oct 21 22:58:58 2004
*filter
:INPUT ACCEPT [103728:43556812]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [141277:93871525]
-A FORWARD -s 172.16.80.0/255.255.240.0 -j ACCEPT
-A FORWARD -d 172.16.80.0/255.255.240.0 -j ACCEPT
COMMIT
# Completed on Thu Oct 21 22:58:58 2004

pozdrawiam
maricnek

Więcej informacji o liście dyskusyjnej pld-users-pl