On 26 Nov 2013, at 23:08, Hans Vlems <hvlems at zonnet.nl> wrote:
No, I get telnet attempts from it, es and nl domains lately. I put a text in sys$announce that tells the, error, user that the system is privately owned, alle access attempts are logged and monitored and that unauthorized access is not allowed. The attempts are now down to a couple every 24 hours and no longer every 5 minutes.
Just got an SSH bruteforce attempt from Korea, decided to have a look at the chap's machine:
nmap -p1-65535 -T5 -sV -oAhax0r -P0 14.63.222.153
The "attack" stopped pretty quickly after that lol.
Sampsa
Anybody have an idea of how many amps (at 220V) a DS10 with 3 HDDs will consume?
What about an rx2600?
sampsa <sampsa at mac.com>
mobile +44 7961 149465
No, I get telnet attempts from it, es and nl domains lately. I put a text in sys$announce that tells the, error, user that the system is privately owned, alle access attempts are logged and monitored and that unauthorized access is not allowed. The attempts are now down to a couple every 24 hours and no longer every 5 minutes.
Hans
Van: Sampsa Laine
Verzonden: dinsdag 26 november 2013 23:32
Aan: hecnet at Update.UU.SE
Beantwoorden: hecnet at Update.UU.SE
Onderwerp: [HECnet] Telnet/SSH attacks
Am I the only one who's almost constantly being hit by login scans (usually from China or weird places like Kazakhstan - sorry Oleg) on their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just part of a larger scan so if you guys are getting hit as well, I won't worry that I'm being targeted :)
sampsa <sampsa at mac.com>
mobile +44 7961 149465
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
Also, SSH2 kills the CPU on a lot of VAX boxes. I'm toying with the idea of a SSH-only jumpbox..
On 26 Nov 2013, at 22:56, "Brian Schenkenberger, VAXman-" <system at TMESIS.COM> wrote:
Dennis Boone <drb at msu.edu> writes:
Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)
Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports. The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.
I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
As for SSH, moving it off of port 22 seems to quiet things down. Use one
of the port numbers in the ephemeral range like 22222. Of course, you'll
need to tell your ssh client that you're using a different port using the
-p option.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
I agree with both points for production "real" boxes, SSH in pubkey mode on random port, no telnet.
But for public access hobby systems that significantly increases the barrier to entry for new users. I run SSH but in pubkey mode only, Telnet is used by the vast majority of my users, these are hobby system, I haven't had any complaints.
Dennis Boone <drb at msu.edu> writes:
Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)
Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports. The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.
I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.
Stupid! Disable TELNET for anything but your local net. You do NOT want
plain text sent over the internet!
As for SSH, moving it off of port 22 seems to quiet things down. Use one
of the port numbers in the ephemeral range like 22222. Of course, you'll
need to tell your ssh client that you're using a different port using the
-p option.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
On 26 Nov 2013, at 22:45, Mark Benson <md.benson at gmail.com> wrote:
We get them by the shedload on our work hosting server. We run CPHulk on there to keep them out. I'd suggest implementing some kind of 'block IP for 24 hrs after x failed logins' scheme if you can. That usually forces them to move on.
Nah, they make good target practice and a real data source for my SIEM :)
Hello!
Oddly enough when my system is showing that port, then yes. But not as
many. I run a program on it that works along the lines of, you get
three tries, and then shown the doors.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."
On Tue, Nov 26, 2013 at 5:32 PM, Sampsa Laine <sampsa at mac.com> wrote:
Am I the only one who's almost constantly being hit by login scans (usually from China or weird places like Kazakhstan - sorry Oleg) on their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just part of a larger scan so if you guys are getting hit as well, I won't worry that I'm being targeted :)
sampsa <sampsa at mac.com>
mobile +44 7961 149465
Am I the only one who's almost constantly being hit by login scans
(usually from China or weird places like Kazakhstan - sorry Oleg) on
their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just
part of a larger scan so if you guys are getting hit as well, I won't
worry that I'm being targeted :)
Pretty much if it's connected to the internet, it's getting
dictionary-scanned on any open telnet and ssh ports. The scanners have
gotten a little smarter in the last 8 years or so -- they no longer
generate so many parallel connections that you notice them because of
load or socket starvation.
I put in firewall rules to block addresses which generate too many ssh
connections in a period of time, mostly to prevent the log spam.
De
We get them by the shedload on our work hosting server. We run CPHulk on there to keep them out. I'd suggest implementing some kind of 'block IP for 24 hrs after x failed logins' scheme if you can. That usually forces them to move on.
On 26 Nov 2013 22:32, "Sampsa Laine" <sampsa at mac.com> wrote:
Am I the only one who's almost constantly being hit by login scans (usually from China or weird places like Kazakhstan - sorry Oleg) on their Internet facing Telnet/SSH ports?
It's not like they get in or anything, my guess is that this is just part of a larger scan so if you guys are getting hit as well, I won't worry that I'm being targeted :)
sampsa <sampsa at mac.com>
mobile +44 7961 149465
