Print This Post Print This Post

More On Brute Force Attacks…

June 18 2009 by Teksquisite in Security, hacking |2 Comments

puttyHackers are at it again, trying to break the webserver login/password at Teksquisite. On a daily basis I see reports of failed login attempts from hackers utilizing automated scripts (dictionary attacks.) Some of the favorite login names that they look for are:

root, admin, administrator, sales, and samba

An example of the most recent attack against my webserver was recorded at 9:21 am this morning:
X failed login attempts to account samba (system) — Large number of attempts from this IP: 221.10.62.28

This particular IP appears to belong to China Beijing Sichuan University Network Education Institute. How did I gather the IP information? If you are not using a UNIX system and are using windows you can download Sam Spade. I tried an nslookup from Sam Spade for IP 221.10.62.28 but there was no reverse DNS, so that particular function was not very helpful.

A generic whois from Sam Spade listed the IP from the Network Information Centre Asia Pacific Network and that I could get the information that I was seeking from Apnic.

From the APNIC site I performed a Query to the APNIC Whois Database Using 1st level less specific and associated reverse domain settings.  According to Apnic query return, the University owns 7 IP addresses: 221.10.62.24 – 221.10.62.31 and the abuse contact is: abuseATcnc-noc.net.

I run an apache webserver and I receive instant notification during any hacking attempts because I use Brute Force Protection and Host Access Control.  If you want to know how to prevent brute force attacks please read this informative article over at Bodhost.com on Preventing Brute Force Attacks and from thewebhostinghero.com: How To Protect Your Webserver From Brute Force Attacks.

The JIST!

1-Always use strong and secure passwords

2- If you run a webserver,  ALWAYS pay close attention to your logs.

3-Secure your webserver with the proper tools and settings to thwart Brute Force Attacks.

3- Restrict login attempts to 5 max on your webserver

4-Ban the individual IP or Ban all IPs for the offending domain

5-ALWAYS REPORT the attackers!

Until next time — Stay Safe!

Tags: , , ,

2 Comments

  • At 2009.07.05 12:53, whatboy said:

    This is just one entry on logwatch… one day!!!

    sshd:
    Authentication Failures:
    unknown (200.27.79.101): 376 Time(s)
    root (61.152.201.69): 177 Time(s)
    unknown (89.223.41.158): 63 Time(s)
    unknown (61.152.201.69): 3 Time(s)
    apache (89.223.41.158): 1 Time(s)
    ftp (89.223.41.158): 1 Time(s)
    games (89.223.41.158): 1 Time(s)
    mail (89.223.41.158): 1 Time(s)
    mysql (89.223.41.158): 1 Time(s)
    nobody (89.223.41.158): 1 Time(s)
    operator (89.223.41.158): 1 Time(s)
    root (89.223.41.158): 1 Time(s)
    smmsp (89.223.41.158): 1 Time(s)
    Invalid Users:
    Unknown Account: 442 Time(s)

    Just disable root… I do not know why there are so many, I have installed fail2ban and set it up for 3 attempts, if failed, banned for 1 full day!!!

    [Reply]
    • At 2009.07.06 04:44, Teksquisite said:

      No web server attacks since July 3. gera125.server4you.de was pounding my server (crashing it even) and so I did a *route add -net 62.75.214.0/24 gw 127.0.0.1 lo* and it has been basically quiet ever since…
      Thanks for posting WB :)

      [Reply]
      (Required)
      (Required, will not be published)

      Comment moderation is enabled. Your comment may take some time to appear.

      « »
      Theme Tweaker by Unreal

      Tekblog is Digg proof thanks to caching by WP Super Cache