The IP address 44.140.63.5 just tried multiple ssh attempts using invalid logins against six of our 44-net machines. The attempts were caught and blocked. But beware.
Is there an abuse policy and, if so, what is it?
Michael N6MEF
On Wed, Feb 10, 2016 at 05:12:12PM -0800, Michael Fox (N6MEF) wrote:
The IP address 44.140.63.5 just tried multiple ssh attempts using invalid logins against six of our 44-net machines. The attempts were caught and blocked. But beware.
Is there an abuse policy and, if so, what is it? Michael N6MEF
I'd say that's a violation of our acceptable use policy, which you should already have a copy of but may be viewed on our web site at any time.
My guess is that's a compromised host.
I have forwarded your mail to the subnet manager, Bjorn Pehrson bpehrson@kth.se - Brian
Thanks Brian.
I don't know to which "web site" you are referring. There is www, wiki, portal, ...more?
I found this: http://www.ampr.org/tos.txt
The general thrust of the document seems to be the agreement between the ARDC and the grantee of 44/8 addresses regarding the use of the 44/8 addresses. But I don't see any language in there about unauthorized access or use of amprnet hosts, or any consequences of such unauthorized actions.
Michael N6MEF
-----Original Message----- From: 44Net [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On Behalf Of Brian Kantor Sent: Wednesday, February 10, 2016 5:48 PM To: AMPRNet working group 44net@hamradio.ucsd.edu Subject: Re: [44net] banned 44.140.63.5
(Please trim inclusions from previous messages) _______________________________________________ On Wed, Feb 10, 2016 at 05:12:12PM -0800, Michael Fox (N6MEF) wrote:
The IP address 44.140.63.5 just tried multiple ssh attempts using
invalid
logins against six of our 44-net machines. The attempts were caught and blocked. But beware.
Is there an abuse policy and, if so, what is it? Michael N6MEF
I'd say that's a violation of our acceptable use policy, which you should already have a copy of but may be viewed on our web site at any time.
My guess is that's a compromised host.
I have forwarded your mail to the subnet manager, Bjorn Pehrson bpehrson@kth.se
- Brian
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Wed, Feb 10, 2016 at 06:18:06PM -0800, Michael Fox (N6MEF) wrote:
I found this: http://www.ampr.org/tos.txt
The general thrust of the document seems to be the agreement between the ARDC and the grantee of 44/8 addresses regarding the use of the 44/8 addresses. But I don't see any language in there about unauthorized access or use of amprnet hosts, or any consequences of such unauthorized actions.
There's a general prohibition against using the network "in a manner which would be to the detriment of the AMPRNet or to Amateur Radio."
I would interpret that to include unauthorized access, or other illegal actions.
We kept the document concise in the hope that people would actually pay attention to it. - Brian
On Wed, 10 Feb 2016, Michael Fox (N6MEF) wrote:
The IP address 44.140.63.5 just tried multiple ssh attempts using invalid logins against six of our 44-net machines. The attempts were caught and blocked. But beware.
I'd take a guess that:
5.63.140.44.IN-ADDR.ARPA domain name pointer idp.sa0bxi.se.
idp = intrusion detection prevention? Also looking up sa0bxi on QRZ yields a Email.
So it's probably scanning IP's to ensure security, and testing known poor quality passwords, but I'm just guessing.
Also failtoban would be highly recommended set to block after 3 failed attempts if you are leaving a system open to ssh access.
Tim Osburn http://www.m2os.com W7RSZ / JG1MBR
On 2/10/16 9:02 PM, Tim Osburn wrote:
Also looking up sa0bxi on QRZ yields a Email.
Have you tried reaching out to SA0BXI directly? You'd be surprised how a friendly email is all it takes most of the time. I bet his box is pwnd
Side note: this is exactly what rwhois/SWIP would be great for. The Technical Advisory Committee has voted in favor of steps to enable 44/8 for this about two years ago.
So it's probably scanning IP's to ensure security, and testing known poor quality passwords, but I'm just guessing.
Maybe they want to see who's running crypto on 44net address space?
Also failtoban would be highly recommended set to block after 3 failed attempts if you are leaving a system open to ssh access.
+1
If you're on the internet port scans and hack attempts happen every day. I really don't consider a port scan a malicious attack, it's akin to some one ringing your door bell and running away.
On 2/10/16 9:02 PM, Tim Osburn wrote:
By the way, too many people set up fail2ban so that it sends mail to the abuse address of the host network; this generally just fills up the abuse mail queues on the hosting ISP which results in important abuse reports getting lost in the noise.
As a friendly network participant, I believe that turning off the auto-mailer in fail2ban would be good practice. - Brian
Dear all, The compromised system will be taken off-line and reinstalled in a few minutes Bjorn/sa0bxi
On 2016-02-11 04:00, Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ On 2/10/16 9:02 PM, Tim Osburn wrote:
By the way, too many people set up fail2ban so that it sends mail to the abuse address of the host network; this generally just fills up the abuse mail queues on the hosting ISP which results in important abuse reports getting lost in the noise.
As a friendly network participant, I believe that turning off the auto-mailer in fail2ban would be good practice.
- Brian
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net .
-
Bjorn Pehrson -
Brian Kantor -
Bryan Fields -
Michael Fox (N6MEF) -
Tim Osburn