Access attempts

**Krendoshazin** · 02-07-2005

Hi, i'm using slackware 10 and i was wondering if there is a way to disable remote access, i use it as a personal OS and there's really no need for it in my case. the reason i wish to disable it is because of the series of access attempts that have been made on this machine, luckily all have failed so far, here is a small sample.

Code:

Jan 31 11&#58;40&#58;43 excaliber sshd&#91;2375&#93;&#58; Failed password for illegal user web from 200.27.232.100 port 53241 ssh2
Jan 31 11&#58;40&#58;45 excaliber sshd&#91;2377&#93;&#58; Illegal user oracle from 200.27.232.100
Jan 31 11&#58;40&#58;45 excaliber sshd&#91;2377&#93;&#58; Failed password for illegal user oracle from 200.27.232.100 port 53347 ssh2
Jan 31 11&#58;40&#58;47 excaliber sshd&#91;2379&#93;&#58; Illegal user sybase from 200.27.232.100
Jan 31 11&#58;40&#58;47 excaliber sshd&#91;2379&#93;&#58; Failed password for illegal user sybase from 200.27.232.100 port 53608 ssh2
Jan 31 11&#58;40&#58;49 excaliber sshd&#91;2381&#93;&#58; Illegal user master from 200.27.232.100
Jan 31 11&#58;40&#58;49 excaliber sshd&#91;2381&#93;&#58; Failed password for illegal user master from 200.27.232.100 port 53745 ssh2
Jan 31 11&#58;40&#58;51 excaliber sshd&#91;2383&#93;&#58; Illegal user account from 200.27.232.100
Jan 31 11&#58;40&#58;51 excaliber sshd&#91;2383&#93;&#58; Failed password for illegal user account from 200.27.232.100 port 53910 ssh2
Jan 31 11&#58;40&#58;53 excaliber sshd&#91;2385&#93;&#58; Illegal user backup from 200.27.232.100
Jan 31 11&#58;40&#58;53 excaliber sshd&#91;2385&#93;&#58; Failed password for illegal user backup from 200.27.232.100 port 54186 ssh2
Jan 31 11&#58;40&#58;54 excaliber sshd&#91;2387&#93;&#58; Illegal user server from 200.27.232.100
Jan 31 11&#58;40&#58;54 excaliber sshd&#91;2387&#93;&#58; Failed password for illegal user server from 200.27.232.100 port 54301 ssh2
Jan 31 11&#58;40&#58;56 excaliber sshd&#91;2389&#93;&#58; Illegal user adam from 200.27.232.100
Jan 31 11&#58;40&#58;56 excaliber sshd&#91;2389&#93;&#58; Failed password for illegal user adam from 200.27.232.100 port 54568 ssh2
Jan 31 11&#58;40&#58;58 excaliber sshd&#91;2391&#93;&#58; Illegal user alan from 200.27.232.100
Jan 31 11&#58;40&#58;58 excaliber sshd&#91;2391&#93;&#58; Failed password for illegal user alan from 200.27.232.100 port 54707 ssh2
Jan 31 11&#58;41&#58;00 excaliber sshd&#91;2393&#93;&#58; Illegal user frank from 200.27.232.100
Jan 31 11&#58;41&#58;02 excaliber sshd&#91;2395&#93;&#58; Illegal user george from 200.27.232.100
Jan 31 11&#58;41&#58;02 excaliber sshd&#91;2395&#93;&#58; Failed password for illegal user george from 200.27.232.100 port 55131 ssh2
Jan 31 11&#58;41&#58;04 excaliber sshd&#91;2397&#93;&#58; Illegal user henry from 200.27.232.100
Jan 31 11&#58;41&#58;04 excaliber sshd&#91;2397&#93;&#58; Failed password for illegal user henry from 200.27.232.100 port 55192 ssh2
Jan 31 11&#58;41&#58;11 excaliber sshd&#91;2401&#93;&#58; Illegal user john from 200.27.232.100
Jan 31 11&#58;41&#58;11 excaliber sshd&#91;2401&#93;&#58; Failed password for illegal user john from 200.27.232.100 port 55812 ssh2
Jan 31 11&#58;41&#58;13 excaliber sshd&#91;2405&#93;&#58; Failed password for root from 200.27.232.100 port 56088 ssh2
Jan 31 11&#58;41&#58;15 excaliber sshd&#91;2407&#93;&#58; Failed password for root from 200.27.232.100 port 56194 ssh2
Jan 31 11&#58;41&#58;17 excaliber sshd&#91;2409&#93;&#58; Failed password for root from 200.27.232.100 port 56487 ssh2
Jan 31 11&#58;41&#58;18 excaliber sshd&#91;2411&#93;&#58; Failed password for root from 200.27.232.100 port 56614 ssh2
Jan 31 11&#58;41&#58;20 excaliber sshd&#91;2413&#93;&#58; Failed password for root from 200.27.232.100 port 56783 ssh2
Jan 31 11&#58;41&#58;22 excaliber sshd&#91;2415&#93;&#58; Illegal user test from 200.27.232.100
Jan 31 11&#58;41&#58;22 excaliber sshd&#91;2415&#93;&#58; Failed password for illegal user test from 200.27.232.100 port 57042 ssh2

any help on this matter would be greatly appreciated.

**gwalters** · 02-07-2005

A firewall would be a good idea. Failing that, kill sshd and stop it from starting when your computer boots up.

**adrenaline** · 02-07-2005

try this in a shell

Code:

su -
<password>
cd /etc/rc.d
chmod -x rc.sshd

That should do the trick

**loft306** · 02-07-2005

hey atleast your are lucky that that is just a script kiddie running a script...i used to get that one run against me

also if you have an ftp server running i would turn it off when you dont need it

also for future use disable root login in the sshd and ftp server config's and that will cut the attempts by 90% ...whats the fun of cracking a user

(you can su - root after logging in as a user)

also limit the login time to 1 minute
then from there you could use a key to login instead of a passwd and that is the most secure!

**adrenaline** · 02-07-2005

Originally Posted by loft306

also limit the login time to 1 minute
then from there you could use a key to login instead of a passwd and that is the most secure!

Can you give a little more info here? That sounds interesting and I have never heard of that?

**Krendoshazin** · 02-08-2005

Originally Posted by adrenaline

try this in a shell

Code:

su -
<password>
cd /etc/rc.d
chmod -x rc.sshd

That should do the trick

thanks, that seems to have sorted it out, the logs haven't reported anything out of the ordinary since then.

**adrenaline** · 02-08-2005

Originally Posted by Krendoshazin

thanks, that seems to have sorted it out, the logs haven't reported anything out of the ordinary since then.

I glad that helped let me know if you need anything else.
Mike

**loft306** · 02-09-2005

Originally Posted by adrenaline

Originally Posted by loft306

also limit the login time to 1 minute
then from there you could use a key to login instead of a passwd and that is the most secure!

Can you give a little more info here? That sounds interesting and I have never heard of that?

yeah in the /etc/ssh/sshd_config (in Gentoo, your config might be elseware)

Code:

LoginGraceTime .5m

that is 1/2 a minute

**Krendoshazin** · 02-15-2005

Originally Posted by adrenaline

I glad that helped let me know if you need anything else.
Mike

How would i stop sendmail from accepting connections, i can see it open on ports 25 and 587

PORT STATE SERVICE OWNER VERSION
25/tcp open smtp 0 Sendmail 8.12.11/8.12.11
37/tcp open time
113/tcp open ident 99 OpenBSD identd
587/tcp open smtp 0 Sendmail 8.12.11/8.12.11
6000/tcp open X11 0 (access denied)

what could i also do about the others while i'm at it, most importantly X11

**adrenaline** · 02-15-2005

Originally Posted by Krendoshazin

Originally Posted by adrenaline

I glad that helped let me know if you need anything else.
Mike

How would i stop sendmail from accepting connections, i can see it open on ports 25 and 587

PORT STATE SERVICE OWNER VERSION
25/tcp open smtp 0 Sendmail 8.12.11/8.12.11
37/tcp open time
113/tcp open ident 99 OpenBSD identd
587/tcp open smtp 0 Sendmail 8.12.11/8.12.11
6000/tcp open X11 0 (access denied)

what could i also do about the others while i'm at it, most importantly X11

All you need to do to open ports and close ports is to start and stop services. This is a little different from distro to distro but I will tell you in redhat.
Ok if you don't want sendmail to run.
open a term

Code:

su - 
<password>
cd /etc/rc3.d 
ls
#look for sendmail in this folder. it will look something like this
S80sendmail
mv S80sendmail K80sendmail
#if you boot graphically you will have to do the same exact thing in /etc/rc5.d
#what you are doing is if it is K that means kill or don't start on boot and if S that means start on boot &#40;get it&#41;
If you want to start a service say vsftpd you do the opposite
mv K35vsftpd to S35vsftpd
then reboot and you have a ftp server and if you do a netstart -pant you will see the port is open. 

This will close port 6000
Editing /etc/X11/xdm/Xservers and adding the -nolisten tcp after X, and
Creating a alias in .bashrc alais startx='startx -- -nolisten tcp

Mike

Thread Tools

Display

Access attempts

Posting Permissions