Results 1 to 8 of 8

Thread: bad guys??

  1. #1
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default bad guys??

    I have a bunch of these in my logs it is very late and i am very tired thought i would throw up this post quick.

    did an nslookup on the ip

    tokyo.computerking.ca > /usr/local/etc/postfix #nslookup 61.129.117.112
    Server: computerking.ca
    Address: 192.168.0.202

    *** computerking.ca can't find 61.129.117.112: Non-existent host/domain

    whois gives me big hosting company in china

    10 21:31:40 shoemasters sshd(pam_unix)[13928]: check pass; user unknown
    Mar 10 21:31:40 shoemasters sshd(pam_unix)[13928]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:31:44 shoemasters sshd(pam_unix)[13930]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112 user=mysql
    Mar 10 21:31:49 shoemasters sshd(pam_unix)[13932]: check pass; user unknown
    Mar 10 21:31:49 shoemasters sshd(pam_unix)[13932]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:31:54 shoemasters sshd(pam_unix)[13934]: check pass; user unknown
    Mar 10 21:31:54 shoemasters sshd(pam_unix)[13934]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:31:59 shoemasters sshd(pam_unix)[13936]: check pass; user unknown
    Mar 10 21:31:59 shoemasters sshd(pam_unix)[13936]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:04 shoemasters sshd(pam_unix)[13938]: check pass; user unknown
    Mar 10 21:32:04 shoemasters sshd(pam_unix)[13938]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:09 shoemasters sshd(pam_unix)[13940]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112 user=named
    Mar 10 21:32:14 shoemasters sshd(pam_unix)[13942]: check pass; user unknown
    Mar 10 21:32:14 shoemasters sshd(pam_unix)[13942]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:19 shoemasters sshd(pam_unix)[13944]: check pass; user unknown
    Mar 10 21:32:19 shoemasters sshd(pam_unix)[13944]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:23 shoemasters sshd(pam_unix)[13946]: check pass; user unknown
    Mar 10 21:32:23 shoemasters sshd(pam_unix)[13946]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:29 shoemasters sshd(pam_unix)[13948]: check pass; user unknown
    Mar 10 21:32:29 shoemasters sshd(pam_unix)[13948]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:35 shoemasters sshd(pam_unix)[13962]: check pass; user unknown
    Mar 10 21:32:35 shoemasters sshd(pam_unix)[13962]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
    Mar 10 21:32:40 shoemasters sshd(pam_unix)[14006]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112 user=test
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Just block the IP at your firewall.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default

    Speaking of which is there a list of ports i need for zimbra somewhere?
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  4. #4
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    search the forums

  5. #5
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default

    While im on this string of questions that have little or no bearing on Zimbra like badguys and firewalls. I have one more to get out of my system I'm sure this one is in the docs but i cannot seem to find it there or on the forums. When i click remeber me on this computer on the login screen zimbra does seem to remeber me but not for long enough is there a way to set this and where?
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  6. #6
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Quote Originally Posted by rmvg
    While im on this string of questions that have little or no bearing on Zimbra like badguys and firewalls. I have one more to get out of my system I'm sure this one is in the docs but i cannot seem to find it there or on the forums. When i click remeber me on this computer on the login screen zimbra does seem to remeber me but not for long enough is there a way to set this and where?
    It's not changeable. All we remember is the user name. You'll still have to enter the password as your auth token doesn't last forever. You can set the auth token time in the admin UI.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  7. #7
    Join Date
    Oct 2005
    Location
    Coeur d'Alene, ID
    Posts
    59
    Rep Power
    9

    Default

    Quote Originally Posted by KevinH
    Just block the IP at your firewall.
    I think you may wind up adding ALOT of IPs to your firewall rules. I noticed ssh probes as soon as I had my Zimbra machine up on the Internet... from many different IPs. Almost all of them looked like automated (scripted) ssh probes. They would try name, after name, after name for ssh.

    Two suggestions.

    1) Rather than block IPs, have a default rule of DENY in your firewall. Then, add ALLOW rules for only those IPs that you want. All other IPs are dropped on the floor.

    2) Add "AllowUsers yourname " to your sshd_config file. So, even if they get through your firewall, and even if they have an account on your zimbra machine, only yourname will be allowed to make a ssh connection.

    Mike
    North Idaho Eye Institute

  8. #8
    Join Date
    Oct 2005
    Location
    Harrisburg, Pennsylvania
    Posts
    155
    Rep Power
    10

    Default

    Quote Originally Posted by rmvg
    I have a bunch of these in my logs it is very late and i am very tired thought i would throw up this post quick.
    Yeah, as some other folks suggested, blocking those with firewall rules might leave you with a ton of firewall rules, as well as creating more work for yourself.

    Might I recommend looking into pam_abl (abl == auto black list).

    Basically, after PAM sees a certain about of failed login attempts from a certain host, it denies access to that host for a configurable amount of time.

    For example, you can say that if a given host has 10 failed login attempts within an hour, block access for a day or two.

    Some people bring up the fact that if you screw up, you could end up blocking yourself out of your box. Well, that may be true... though, in all my time on Linux, I'm not sure I've ever had 10 failed login attempts in an hour.

    That said, there's another way around this....

    You can setup port forwarding on an alternate port... perhaps 443 (assuming you have a second IP which Zimbra isn't using). You could port forward port 443 to port 22 on your server.... and in the pam_abl list, you can tell it to ignore certain hosts.

    In this case, you'd tell it to ignore itself... the IP your port 443 was coming from. That way, you always have another way into your box, and scripts don't generally scan for ssh running on alternate ports.

    Just a thought.

    Have a good one,
    -Eric

    pam_abl: http://www.hexten.net/pam_abl/

Similar Threads

  1. [SOLVED] SSL connection failure, bad record MAC
    By Armor in forum Error Reports
    Replies: 12
    Last Post: 12-10-2010, 09:37 AM
  2. sync error, bad record MAC
    By Armor in forum Installation Help
    Replies: 0
    Last Post: 11-29-2010, 09:12 AM
  3. Bad file descriptor?
    By emx in forum Installation
    Replies: 11
    Last Post: 10-14-2008, 03:01 AM
  4. mobile calender Internal Server Error
    By padraig in forum Administrators
    Replies: 19
    Last Post: 04-24-2008, 08:04 AM
  5. zcs 4.0.3 amavisd gives bad file descriptor
    By Storm16 in forum Developers
    Replies: 0
    Last Post: 11-07-2006, 10:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •