23 May
2017
23 May
'17
6:57 a.m.
Brian,
For failed SSH login attempts, you might look at fail2ban , configure that one with 2 auth
faillures and repeat offenders and you'll be golden and rid of those thousands of
login attempts :)
73,
Ruben - ON3RVH
-----Original Message-----
From: 44Net [mailto:44net-bounces+on3rvh=on3rvh.be@hamradio.ucsd.edu] On Behalf Of Brian
Kantor
Sent: dinsdag 23 mei 2017 12:51
To: AMPRNet working group <44net(a)hamradio.ucsd.edu>
Subject: Re: [44net] probbing and attacks on my router
(Please trim inclusions from previous messages)
_______________________________________________
Several of the servers at work regularly see ping requests in the hundred per second, and
amprgw sees them as well. I have ping responses throttled to 5 per second on most of my
hosts in order to be a good network neighbor. I log a lot of 'open port RST
response' probes as well.
I assume these are partly just curious scanners looking for live hosts in our network
ranges, but a lot of them are probably requests with forged/spoofed source addresses so as
to attack other systems.
The thousands of failed attempts per day to log in as 'root' are also annoying and
pollute my log files. Many of these servers are used legitimately by researchers all
around the world, so it's not practical to firewall them off from the outside world.
I do have root logins disabled, so even if the probers guess the right password, they
can't log in as root. And I use 'denyhosts' and 'fail2ban' to block
the probers, but there's always another one waiting to start.
During one hour yesterday that I looked at, according to the netflow data for amprgw, as
much as half of the inbound packets were DNS queries to either of two hosts on the
44.44.7.224 subnet. There are up to hundreds of these requests per second from many
varied source addresses. Those two hosts used to respond to the queries; they don't
any more.
It's a hostile world out there.
- Brian
On Tue, May 23, 2017 at 06:40:54AM +0000, Ruben ON3RVH wrote:
Hey Ronen,
Unfortunately that is "normal" behaviour these days on the internet. Bots
scanning networks for ssh/telnet/sip to abuse and continue spreading.
It stops after a while from that particular IP when that IP gets blocked, but will then
continue from other IP's. That is how botnets workaround firewalls if one IP gets
blocked, they just retry from other hosts under their control..
It is best practice to firewall anything inbound that you don't need publicly
available from the internet..
Ruben - ON3RVH
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net