Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Possible Break-In Attempts!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Possible Break-In Attempts!

LivingSouLLivingSouL Member
edited September 2011 in General
SOURCE ADDRESS: 201.185.49.190
TARGET SERVICE: sshd
FAILED LOGINS: 26
EXECUTED COMMAND: /etc/apf/apf -d 201.185.49.190 {bfd.sshd}
SOURCE ADDRESS: 186.144.45.51
TARGET SERVICE: sshd
FAILED LOGINS: 38
EXECUTED COMMAND: /etc/apf/apf -d 186.144.45.51 {bfd.sshd}
SOURCE ADDRESS: 186.188.218.147
TARGET SERVICE: sshd
FAILED LOGINS: 38
EXECUTED COMMAND: /etc/apf/apf -d 186.188.218.147 {bfd.sshd}

I've got several dozen break in attempts. I just wanted to know if BFD+APF works. How do you find out anyway?

Comments

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    You can check by tailing your /var/log/secure and see what it says :)

    If the IP's it's banning are coming up in that log file then it's for sure working.

    Francisco

  • kiloservekiloserve Member
    edited September 2011

    BFD does do exactly what it's supposed to do; that's the bulk of your security; especially if you have users that use insecure passwords.

    It also does lighten the load on your server by banning the IPs after repeated infractions and thereby removing the extra load to lookup and deny the user.

    On shared webhosting, it is more vital than if you are the only user on the system using a high security password. Oftentimes, in shared hosting or similar uncontrolled environments, a user my use his name as a password and that could get nasty without BFD.

  • so it's working then.. cool! :) thanks..

  • Probably just bots. I get around 500 failed login attempts on my home NAS each day.

  • heh only 500? I've never run the stats but I'm sure my DA servers throw off a couple thousand if not tens of thousands every day.

    One of the reasons why we disabled nonsecure DA logins.

  • drmike said: heh only 500? I've never run the stats but I'm sure my DA servers throw off a couple thousand if not tens of thousands every day.

    One of the reasons why we disabled nonsecure DA logins.

    You're not the only one, one of my node's receives 5000 login attempts a day, luckily fail2ban does a perfect job of booting them.

  • Can't use fail2ban. I'm not the only person who has issues with keyboards.

    maybe if I set it to 10 or so....

  • InfinityInfinity Member, Host Rep

    drmike said: heh only 500? I've never run the stats but I'm sure my DA servers throw off a couple thousand if not tens of thousands every day.

    Same..

  • Got me interested now. Of course the numbers would be low since we also do CMSes, forums, blogs, etc. Then we have ssh, sftp, etc.

    I wonder how many (idiots) try to connect via telnet and regular ftp....

  • drmike said: I wonder how many (idiots) try to connect via telnet and regular ftp....

    Wait! People still use telnet ;)

    My fathers work used a application for managing things, that used telnet in this client to connect, but it only had a Windows Application, so I ported it to Linux & OS X by studying the connection bit by bit.

  • Actually had to install telnet a couple of weeks ago. Went looking for a mud to play.

  • KuJoeKuJoe Member, Host Rep

    I used telnet the other day to login to my PDU, it was mostly just for fun though and I disabled it shortly after (although I think SSH is enabled now).

    Not to get to off topic but I think I still have zMUD installed somewhere... LoL.

  • @Daniel yes Telnet its still been used, when I was taking a class about what they called Unix (it was just usage of basic shell on Linux) the teacher and the admin from school order us to use Telnet, ssh wasnt available. So much for telling us to create a secure password.

  • I tell you what is fun, telneting into you're home router,

  • @thekreek - no rsh? When I started with un*x (back in the 90's on a mix of Sun Solaris and DEC Ultrix boxes) that's how I get to places. I guess people just don't pay that much attention to over-the-wire security back then.

  • Well it's only 500 because it's just a home NAS connected to the internet for access on my phone and whilst out of the house. My connection also has a static IP so I guess that puts some of the attackers off for a while.

  • @LowEndAdmin I took that class in 2007, can you guess what was my password for using telnet..... I decided to use 123insecure.

  • @thekreek -- sounds like your lecturers might have recycled the syllabus from the '90s :)

  • @LowEndAdmin unfortunately that something that happens over here, it takes ages for the school to update the syllabus to recent standards. But thanks to the web, local user groups and books you realize what you need to update.

Sign In or Register to comment.