> I just discovered by chance that, someone is
> constantly trying to break into my openbsd box from:
>
> 201.244.17.162 [corporativos24417-162.etb.net.co]
> 203.113.85.26
> 211.20.79.85
> 71.159.221.78
> 82.207.116.209
>
> whois details on each IP go to South America, Bangkok,
> Taiwan... all over the world! Although i have sent
> email to the email address in whois output, but the
> attacker may be spoofing the IP.
>
> By the pattern of attempt i can tell it is the same
> user. I am asking the communitie's help to how to
> block and, more properly, punish this unethical user.
> this user is running the attack constantly. I will
> have to shutdown the box for now and come back at
> later time when someone had posted some solution on
> the list.
>
> My box is behind router-NAT which is allowing ssh. I
> am not sure how this guy can get to my box which has
> pvt IP address from the internet thru the firewall.
>
> I looked for blocking access depending on source IP in
> my dsl-router, but it is not that versatile.
>
> I have now also setup hosts.allow and DenyUsers/Groups
> in ssh config. is that enough?
>
> here are some excerts from my logs:
>
> Nov 9 03:24:51 <myserver> sshd[15822]: Did not
> receive identification string from 218.76.217.234
>
> Nov 10 16:55:19 <myserver> sshd[29183]: Did not
> receive identification string from 82.207.116.209
> Nov 10 16:58:58 <myserver> sshd[21261]: Failed
> password for root from 82.207.116.209 port 35194 ssh2
> Nov 10 16:58:59 <myserver> sshd[5372]: Received
> disconnect from 82.207.116.209: 11: Bye Bye
>
> Nov 17 07:41:15 <myserver> sshd[3254]: Failed password
> for root from 219.145.142.30 port 55232 ssh2
> Nov 17 07:41:15 <myserver> sshd[27682]: Received
> disconnect from 219.145.142.30: 11: Bye Bye
>
> Nov 21 07:51:16 <myserver> sshd[12865]: Did not
> receive identification string from 201.244.17.162
> Nov 21 07:53:38 <myserver> sshd[18020]: reverse
> mapping checking getaddrinfo for corporativos24417-162
> .etb.net.co [201.244.17.162] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Nov 21 07:53:38 <myserver> sshd[18020]: Failed
> password for root from 201.244.17.162 port 56137 ssh2
> Nov 21 07:53:38 <myserver> sshd[19158]: Received
> disconnect from 201.244.17.162: 11: Bye Bye
>
> and,
>
> Nov 21 08:20:56 <myserver> sshd[13104]: Did not
> receive identification string from 222.231.60.88
> Nov 21 15:58:25 <myserver> sshd[16851]: Did not
> receive identification string from 82.207.116.209
> Nov 21 16:00:46 <myserver> sshd[23577]: Failed
> password for root from 82.207.116.209 port 55925 ssh2
> Nov 21 16:00:46 <myserver> sshd[6084]: Received
> disconnect from 82.207.116.209: 11: Bye Bye
>
> and,
> Nov 22 00:46:33 <myserver> sshd[18504]: Did not
> receive identification string from 61.159.228.193
> Nov 22 08:41:41 <myserver> sshd[2410]: Did not receive
> identification string from 71.159.221.78
> Nov 22 08:42:25 <myserver> sshd[9687]: Failed password
> for root from 71.159.221.78 port 63731 ssh2
> Nov 22 08:42:25 <myserver> sshd[8814]: Received
> disconnect from 71.159.221.78: 11: Bye Bye
>
> and,
> Nov 23 23:14:08 <myserver> sshd[26235]: Failed
> password for root from 211.20.79.85 port 54407 ssh2
> Nov 23 23:14:08 <myserver> sshd[16180]: Received
> disconnect from 211.20.79.85: 11: Bye Bye
>
>
>
> this is interesting...
> $ whois 71.159.221.78
> AT&T Internet Services SBCIS-SIS80 (NET-71-128-0-0-1)
> 71.128.0.0 -
> 71.159.255.255
> ECLIPSE MARKETING-060311011540
> SBC07115922107229060311011557 (NET-71-159-221-72-1)
> 71.159.221.72 -
> 71.159.221.79
>
> # ARIN WHOIS database, last updated 2007-11-24 19:10
> # Enter ? for additional hints on searching ARIN's
> WHOIS database.
> $
>
>
>
> $ whois 201.244.17.162
>
> OrgName: Latin American and Caribbean IP address
> Regional Registry
> OrgID: LACNIC
> Address: Rambla Republica de Mexico 6125
> City: Montevideo
> StateProv:
> PostalCode: 11400
> Country: UY
>
> ReferralServer: whois://whois.lacnic.net
>
> NetRange: 201.0.0.0 - 201.255.255.255
> CIDR: 201.0.0.0/8
> NetName: LACNIC-201
> NetHandle: NET-201-0-0-0-1
> Parent:
> NetType: Allocated to LACNIC
> NameServer: NS.LACNIC.NET
> NameServer: NS2.DNS.BR
> NameServer: TINNIE.ARIN.NET
> NameServer: NS-SEC.RIPE.NET
> NameServer: SEC3.APNIC.NET
> NameServer: NS3.AFRINIC.NET
> Comment: This IP address range is under LACNIC
> responsibility
> Comment: for further allocations to users in LACNIC
> region.
> Comment: Please see
http://www.lacnic.net/ for
> further details,
> Comment: or check the WHOIS server located at
> whois.lacnic.net
> RegDate: 2003-04-03
> Updated: 2006-10-23
>
> OrgTechHandle: LACNIC-ARIN
> OrgTechName: LACNIC Whois Info
> OrgTechPhone:
> OrgTechEmail:
whois-contact@lacnic.net
>
> # ARIN WHOIS database, last updated 2007-11-24 19:10
> # Enter ? for additional hints on searching ARIN's
> WHOIS database.
>
> % Joint Whois - whois.lacnic.net
> % This server accepts single ASN, IPv4 or IPv6
> queries
>
>
> % Copyright LACNIC lacnic.net
> % The data below is provided for information purposes
> % and to assist persons in obtaining information
> about or
> % related to AS and IP numbers registrations
> % By submitting a whois query, you agree to use this
> data
> % only for lawful purposes.
> % 2007-11-25 03:07:31 (BRST -02:00)
>
> inetnum: 201.244.17.160/29
> status: reallocated
> owner: UNIVERSIDAD ANTONIO NARIQO MEDELLIN
> ownerid: CO-UANM-LACNIC
> responsible: CARLOS ALBERTO LOPEZ VERA
> address: Avda. La Playa Calle 52 No, 40, 88
> address: 9999 - Medellin - An
> country: CO
> phone: +57 4 2161003 []
> owner-c: CAV11
> tech-c: CAV11
> created: 20070212
> changed: 20070212
> inetnum-up: 201.244/16
>
> nic-hdl: CAV11
> person: CARLOS ALBERTO LOPEZ VERA
> e-mail:
lacnic_etb@HOTMAIL.COM
> address: Avda. La Playa Calle 52 No, 40, 88
> address: 9999 - Medellin - An
> country: CO
> phone: +57 4 2161003 []
> created: 20070212
> changed: 20070212
>
> % whois.lacnic.net accepts only direct match queries.
> % Types of queries are: POCs, ownerid, CIDR blocks, IP
> % and AS numbers.
>
>
>
> Sorry for the discomfort.
>
> -BG
>
>
>
> ________________________________
> ~~Kalyan-mastu~~
