FreeBSD Server wird angegriffen

Sir_Blizzardz · 29 November 2007

Hallo,
seit kurzer Zeit finde ich oft solche Einträge in /var/log/messages, das hier ist nur ein kurzer Auszug:

Nov 22 14:43:01 piotserv proftpd[18023]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:04 piotserv proftpd[18024]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:08 piotserv proftpd[18025]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:11 piotserv proftpd[18026]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:14 piotserv proftpd[18027]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:18 piotserv proftpd[18028]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:21 piotserv proftpd[18029]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:24 piotserv proftpd[18030]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:28 piotserv proftpd[18031]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:31 piotserv proftpd[18032]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:35 piotserv proftpd[18033]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:38 piotserv proftpd[18034]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:41 piotserv proftpd[18035]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:45 piotserv proftpd[18036]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:48 piotserv proftpd[18037]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:51 piotserv proftpd[18038]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:55 piotserv proftpd[18039]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:43:58 piotserv proftpd[18040]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:02 piotserv proftpd[18054]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:05 piotserv proftpd[18055]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:08 piotserv proftpd[18056]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:12 piotserv proftpd[18057]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:15 piotserv proftpd[18058]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:19 piotserv proftpd[18059]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:22 piotserv proftpd[18060]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:25 piotserv proftpd[18061]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:29 piotserv proftpd[18062]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:32 piotserv proftpd[18063]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:36 piotserv proftpd[18064]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:39 piotserv proftpd[18065]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:42 piotserv proftpd[18066]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:46 piotserv proftpd[18067]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:49 piotserv proftpd[18068]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:52 piotserv proftpd[18069]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:56 piotserv proftpd[18070]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:44:59 piotserv proftpd[18071]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:03 piotserv proftpd[18075]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:06 piotserv proftpd[18076]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:09 piotserv proftpd[18077]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:13 piotserv proftpd[18078]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:16 piotserv proftpd[18079]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:19 piotserv proftpd[18080]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:23 piotserv proftpd[18081]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:26 piotserv proftpd[18083]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:30 piotserv proftpd[18084]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:33 piotserv proftpd[18086]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:36 piotserv proftpd[18087]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:40 piotserv proftpd[18088]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:43 piotserv proftpd[18089]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:46 piotserv proftpd[18090]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:50 piotserv proftpd[18091]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:53 piotserv proftpd[18092]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:45:57 piotserv proftpd[18093]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:00 piotserv proftpd[18094]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:03 piotserv proftpd[18095]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:07 piotserv proftpd[18096]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:10 piotserv proftpd[18097]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:13 piotserv proftpd[18098]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:17 piotserv proftpd[18099]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:20 piotserv proftpd[18100]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:24 piotserv proftpd[18101]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:27 piotserv proftpd[18102]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:30 piotserv proftpd[18103]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:34 piotserv proftpd[18104]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:37 piotserv proftpd[18105]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:41 piotserv proftpd[18106]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:44 piotserv proftpd[18107]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:47 piotserv proftpd[18108]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:51 piotserv proftpd[18109]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:54 piotserv proftpd[18110]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
Nov 22 14:46:58 piotserv proftpd[18111]: piotserv.blizzardz (222.128.249.253[222.128.249.253]) - no such user 'Administrator'
:

Gehört das auch zu dem "Hintergrundrauschen"? Ich habe den SSH Port schon verlegt damit ich sowas nicht immer sehen muss aber den FTP Port will ich nicht verlegen.
Was für Möglichkeiten habe ich sowas zu unterbinden (ausser FTP Port verlegen)? Kann ich die IP nicht irgendwie mit pf schon daran hindern, sich auf meinen Server zu verbinden?

Grüße

xbit · 29 November 2007

Du koenntest ein Rate-Limit einbauen, also nur n Verbindungen pro m Sekunden zulassen. Wird das Limit ueberschritten, packst Du die IP in eine Tabelle und die Eintraege aus dieser Tabelle werden dann geblockt. Ab und zu sollte man die Tabelle aufraeumen. Dazu muss man bei FreeBSD 6.x expiretable aus den Ports installieren und regelmaessig per cron aufrufen.

Hier ein Beispiel:

Code:

ext_if = "tun0"
...
table <badhosts> persist
...
block quick on $ext_if from { <badhosts> } to ($ext_if)
...
pass in on $ext_if inet proto tcp \
        from any \
        to ($ext_if) \
        port { 22 443 } \
        flags S/SA modulate state \
        (max-src-conn-rate 10/30, overload <badhosts> flush global)

Maximal 10 Verbindungen pro 30 Sekunden je IP Adresse. Man muss damit etwas spielen, nicht dass man gewuenschte Gaeste aussperrt.

Ansonten finden sich in der OpenBSD PF FAQ auch Tips dazu.

HTH

indy · 29 November 2007

Wenn Du nichts PF einsetzt, ist denyhosts Dein Freund.

Beste Gruesse

Der Indy

troll · 29 November 2007

Man könnte auch garnichts machen.
So mach ichs jedenfalls...

CU

Martin

rudy · 29 November 2007

Sir_Blizzardz schrieb:
Hallo,
seit kurzer Zeit finde ich oft solche Einträge in /var/log/messages, das hier ist nur ein kurzer Auszug:

Gehört das auch zu dem "Hintergrundrauschen"? Ich habe den SSH Port schon verlegt damit ich sowas nicht immer sehen muss aber den FTP Port will ich nicht verlegen.
Was für Möglichkeiten habe ich sowas zu unterbinden (ausser FTP Port verlegen)? Kann ich die IP nicht irgendwie mit pf schon daran hindern, sich auf meinen Server zu verbinden?

Grüße

Hallo rainer,

hört sich vielleicht jetzt doof an aber Du kannst Dich auch beschweren !

hab mal ne Whoisabfrage zu der IP gemacht:

Code:

Suchbegriff: 222.128.249.253
Adresse: whois.apnic.net
Suchergebnis:

% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      222.128.0.0 - 222.131.255.255
netname:      CNCGROUP-BJ
descr:        CNCGROUP Beijing province network
descr:        China Network Communications Group Corporation
descr:        No.156,Fu-Xing-Men-Nei Street,
descr:        Beijing 100031
country:      CN
admin-c:      CH455-AP
tech-c:       SY21-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CNCGROUP-BJ
mnt-routes:   MAINT-CNCGROUP-RR
changed:      hm-changed@apnic.net 20031119
status:       ALLOCATED PORTABLE
changed:      hm-changed@apnic.net 20060124
source:       APNIC

role:         CNCGroup Hostmaster
e-mail:       abuse@cnc-noc.net
address:      No.156,Fu-Xing-Men-Nei Street,
address:      Beijing,100031,P.R.China
nic-hdl:      CH455-AP
phone:        +86-10-82993155
fax-no:       +86-10-82993102
country:      CN
admin-c:      CH444-AP
tech-c:       CH444-AP
changed:      abuse@cnc-noc.net 20041119
mnt-by:       MAINT-CNCGROUP
source:       APNIC

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:       suny@publicf.bta.net.cn
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:      suny@publicf.bta.net.cn 19980824
changed:      hm-changed@apnic.net 20060717
source:       APNIC

also so wie das aussieht haste Besuch aus China gehabt, ne Überlegung wäre es vielleicht jetzt ein Honeypot aufzusetzen.

http://de.wikipedia.org/wiki/Honeypot

Viele Grüße rudy

d4mi4n · 29 November 2007

Zu diesem Thema gabs mal folgende Diskussion, in der auch geschrieben wurde, wann denyhosts eine gute saache ist und wann nciht:
http://www.bsdforen.de/showthread.php?t=18900

stefan · 29 November 2007

Ich habe China per default ausgesperrt.
Na ja, nicht alle, aber wenn in den Logs wieder einer auffällt, wird der Netzbereich großzügig gesperrt.

Stefan

FreeBSD Server wird angegriffen

Sir_Blizzardz

Well-Known Member

xbit

Well-Known Member

indy

Der Hutträger

troll

Well-Known Member

rudy

aint no stoppin us now

d4mi4n

volksoperator on duty

stefan

Well-Known Member

Wir schützen deine Privatsphäre