[GLLUG] Maybe OT - Fail2ban and what triggers it

Andy Smith andy at bitfolk.com
Mon Mar 18 07:52:20 UTC 2013


Hi Ken,

On Mon, Mar 18, 2013 at 07:39:06AM +0000, Ken Smith wrote:
> Recently, after noticing a period of fairly concerted attempts at
> logins, I have slightly modified one of its scripts so that it runs a
> stealth nmap scan of the login fail's source.

I wouldn't really advise doing this as many people don't appreciate
being scanned with tools like nmap and it is probably a breach of
the acceptable use policy of whatever network you are on to be doing
that against masses of hosts that you don't have permission to do it
to.

> The majority of the failures IP addresses resolve to originate
> behind the Great Firewall and most of the sources look like Linux
> machines, often Ubuntu.

Is it possible that you've seen only a statistical anomaly? The SSH
dictionary attacks I see tend to be from all over the place, as
likely to be from the ARIN region as the APNIC region.

> To my surprise very few of the results look like Microsoft
> machines, I haven't ever seen RDP.

Host that I see fall prey to SSH dictionary attacks are very often
immediately put to use by the attacker in carrying out further SSH
dictionary attacks, so it is not surprising to me that most of these
attacks come from hosts that themselves run an sshd.

Also bear in mind that just because you have an IP address does not
mean that connecting back to that IP address allows you to reach the
actual source of the attack. Hosts behind a NAT device, for example,
are not going to have a NAT mapping for most of the protocols you'll
be trying, so you'll be fingerprinting and connecting to the NAT
device, not the actual source of the SSH probes you saw.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting




More information about the GLLUG mailing list