chyba mam mały włam :-)

havner havner w smtp.kamp.pl
Czw, 21 Paź 2004, 23:47:24 CEST 

On Thu, Oct 21, 2004 at 11:00:22PM +0200, marcin steć wrote:
> W /var/log/secure właśnie znalazłem toto:
> 
> Oct 21 22:36:32 vanish sshd[3532]: Illegal user rolo from 
> ::ffff:65.198.47.75
> Oct 21 22:36:32 vanish sshd[3532]: input_userauth_request: illegal user rolo
> Oct 21 22:36:37 vanish sshd[3532]: Address 65.198.47.75 maps to 
> host75.ironhide.
> com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> Oct 21 22:36:37 vanish sshd[3532]: error: Could not get shadow 
> information for N
> OUSER
> Oct 21 22:36:37 vanish sshd[3532]: Failed password for illegal user rolo 
> from ::
> ffff:65.198.47.75 port 44814 ssh2
> Oct 21 22:36:37 vanish sshd[3532]: Received disconnect from 
> ::ffff:65.198.47.75:
> 11: Bye Bye
> Oct 21 22:36:39 vanish sshd[3533]: Illegal user iceuser from 
> ::ffff:65.198.47.75
> Oct 21 22:36:39 vanish sshd[3533]: input_userauth_request: illegal user 
> iceuser
> Oct 21 22:36:39 vanish sshd[3533]: Address 65.198.47.75 maps to 
> host75.ironhide.
> com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
> Oct 21 22:36:39 vanish sshd[3533]: error: Could not get shadow 
> information for N
> OUSER
> 
> Kurtuazyjnie puściłem namapa pod ten adres, ale nie wyszło nic ciekawego:
> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-10-21 22:48 
> CEST
> Warning:  OS detection will be MUCH less reliable because we did not 
> find at least 1 open and 1 closed TCP port
> Interesting ports on host75.ironhide.com (65.198.47.75):
> (The 1662 ports scanned but not shown below are in state: filtered)
> PORT   STATE SERVICE
> 22/tcp open  ssh
> Device type: broadband router|router|general purpose
> Running: Conexant embedded, Draytek embedded, FreeSCO Linux 2.0.X, Linux 
                                                    ^^^

I wszystko jasne ;-)

> 2.4.X|2.5.X, Siemens embedded
> Too many fingerprints match this host to give specific OS details
> Uptime 62.033 days (since Fri Aug 20 22:04:43 2004)
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 224.000 seconds
> 
> 
> Tak sobie się zastanawiam jaki byłby zestaw regułek iptables, żęby się 
> natręta pozbyć...
> W zasadzi z zewnątrz to mam potrzebę wjechać wyłącznie po ssh. Porblem w 
> tym, że mam
> jedną kartę, i na niej ip dynamiczne z kablówki i statyczne do 
> rozmawiania z kilkoma vmwarami. Maszyna robi też z gateway dla tychże 
> vmów. Dotychczasowe regułki to:
> 
> [root w vanish /root]# 
> iptables-save                                            
> # Generated by iptables-save v1.2.11 on Thu Oct 21 22:58:58 2004
> *nat
> :PREROUTING ACCEPT [15447:811805]
> :POSTROUTING ACCEPT [30923:1588841]
> :OUTPUT ACCEPT [30939:1592202]
> -A POSTROUTING -s 172.16.80.0/255.255.240.0 -j MASQUERADE
> COMMIT
> # Completed on Thu Oct 21 22:58:58 2004
> # Generated by iptables-save v1.2.11 on Thu Oct 21 22:58:58 2004
> *filter
> :INPUT ACCEPT [103728:43556812]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [141277:93871525]
> -A FORWARD -s 172.16.80.0/255.255.240.0 -j ACCEPT
> -A FORWARD -d 172.16.80.0/255.255.240.0 -j ACCEPT
> COMMIT
> # Completed on Thu Oct 21 22:58:58 2004

Przeciez te regulki nie robia nic poza maskarada, nie ma tu zadnych
zabezpieczen. A te linijki z acceptem na forwarda sa niepotrzebne bo nie
blokujac go forward jest domyslnie odblokowany.

-- 
Regards    Havner                      {jid,mail}:havner(at)pld-linux.org
PLD developer && PLD 2.0 release manager         http://www.pld-linux.org
PLD LiveCD author                             http://livecd.pld-linux.org
                   "Quis custodiet ipsos custodes?"

Więcej informacji o liście dyskusyjnej pld-users-pl