rouge IPs / user

I am getting constant hacking attempt into my computer
from following IPs. Although, I have configured my ssh
config and tcp-wrappers to deny such attempts. But I
wish some expert soul in this community 'fix' this
rouge hacker for ever, for everyones good.

This hacker could be spoofing the IPs, but i have only
the IPs in my message logs(and a url)...

218.6.16.30
195.187.33.66
202.29.21.6
60.28.201.57
218.24.162.85
wpc4643.amenworld.com
202.22.251.23
219.143.232.131
220.227.218.21
124.30.42.36

-for community.

-BG

________________________________
~~Kalyan-mastu~~

badeguruji wrote:
> I am getting constant hacking attempt into my computer
> from following IPs. Although, I have configured my ssh
> config and tcp-wrappers to deny such attempts. But I
> wish some expert soul in this community 'fix' this
> rouge hacker for ever, for everyones good.


Not sure that I understand what you are asking.

Just put these IP's in your pf configuration and then forget about it.

That's all there is to it.

On Friday 07 December 2007 12:51:52 badeguruji wrote:
It isn't going to happen.  For one thing, its very likely that
several "people" are invoved, probing your network.  Last
year my web server was getting hit once a second for about
two days, the efforts of at least 20 different creatures probing
around.  What are you going to do about that?  I consider
these people as net lice.

The one time I did send mail to an ISP was when one little
vandal developed an inordinate fondness for the web server,
and hit it 110,000 times in a week.  Fortunately the ISP did
do something about that one.  But the lice, I don't think you
can do anything about, unless you consider it a hobby.

--STeve Andre'

On Dec 7, 2007 10:03 AM, Daniel Ouellet <daniel@...> wrote:
He's already been told that under this previous thread:

[plz. help] constant attack from: 201.244.17.162, 222.231.60.88,
82.207.116.209....
       
Greg
--
Bicycle ride in the low desert:
http://lodesertprotosites.org/pokerrun/pokerrun.html

Dethink to survive - Mclusky

On Dec 7, 2007 1:03 PM, Daniel Ouellet <daniel@...> wrote:
> badeguruji wrote:
> > I am getting constant hacking attempt into my computer
> > from following IPs. Although, I have configured my ssh
> > config and tcp-wrappers to deny such attempts. But I
> > wish some expert soul in this community 'fix' this
> > rouge hacker for ever, for everyones good.
>
> Not sure that I understand what you are asking.

I think he's advocating e-violence of some sort?
Hahahahahahah.

STeve Andre' wrote:
> The one time I did send mail to an ISP was when one little
> vandal developed an inordinate fondness for the web server,
> and hit it 110,000 times in a week.  Fortunately the ISP did
> do something about that one.  But the lice, I don't think you
> can do anything about, unless you consider it a hobby.

For fun, I like to make the "NT4 Option Pack" default server web page
the index.html on some OpenBSD servers I set up.  It's fun to watch and
see who's paying attention to their logs when they start trying
8-year-old exploitz.

Thanks guys.

Steve, you were able to understand my concern/wish.

Yes, I have posted the same issue earlier, that time i
was looking for a solution for 'myself', this time i
wish: if something can be done 'for everyone', so i
publicized the IPs hacker('net lice') was coming from.

I was adviced for pf, but right now a simple
ssh-config and hosts.allow/deny is serving me fine. I
will learn and use pf in due course.

And seriously, 'anything' in self-defense is not
violence (or e-violence) - I am not going in hackers'
territory to teach him a lesson, i am only trying to
build a wall [by asking the experts] which can save
all those who are NOT-hacking into other people's
computers, and want to operate in a secure environment
(with-in those walls)

Aren't all security experts, just building their own
islands with the problem [of unsecure space] remaining
as it always was? we should try to build a secure
'atmosphere' where 'clouds of all colors/density' can
freely glide with less caution in mind? A frame-work
for internet security like Java, where all different
kind of web-servers(and all other apps for that
matter) can concentrate on their job, rather then
worrying about security - is needed.

thank you.

-BG

--- Nick Guenther <kousue@...> wrote:



________________________________
~~Kalyan-mastu~~

On Dec 7, 2007 12:51 PM, badeguruji <badeguruji@...> wrote:
Afraid it's a fact of life when running things on the open net.  Don't
worry about it.  Make sure the way you authenticate to ssh isn't weak.
 I use key based authentication and don't use passwords.  This gives
me peace of mind.  It's a bit harder to guess and I don't have to
worry about accounts with weak passwords.  I also only allow specific
users to authenticate to ssh.  The DoS hits I get periodically are the
ones that bother me.

Axton Grams

I think this is the second time you've posted something similar to this... I have news for you....



Everyone gets such traffic in their logs.. from DoS'ers and other mischievous individuals..



There really isn't much you can do about it either, and if you report back to each IP's abuse email.. chances are it originated from some 80 year old grandmothers trojan infected computer.



Just use sane firewall rules... only enable services you need, and suck it up!! ;)



-Nix Fan.

On Sat, 08 Dec 2007 04:05:34 +0700, Unix Fan <unixfan@...> wrote:
  You could try to sink hole them.. direct their traffic, to lo0, lo1, lo2  
or whatever you want. It's an everyday life handling such attack for Net  
admin anyway... There area a lot of tutorials/best practice in the net.  
You might know better than me..
Cheers

Insan

badeguruji wrote:

> And seriously, 'anything' in self-defense is not
> violence (or e-violence) - I am not going in hackers'
> territory to teach him a lesson, i am only trying to
> build a wall [by asking the experts] which can save
> all those who are NOT-hacking into other people's
> computers, and want to operate in a secure environment
> (with-in those walls)

How can you prove that you aren't attempting to social engineer us
into launching a denial of service attack against some perfectly
innocent "net lice?"  Think about the model a bit more.

--Jon Radel
jon@...

badeguruji wrote:

I am getting constant hacking attempt into my computer
from following IPs. Although, I have configured my ssh...

This is so common that we ignore it at Virginia Tech. Some days, we log 20k - 30k ssh brute force attempts... I'd like to track 'em down and string 'em up too, but I've got better things to do and really, it's quite harmless :)

On 12/7/07, badeguruji <badeguruji@...> wrote:
See, that requires trusting the other 'security experts' are actually
being honest and working for each others benefit... but that system
isn't secure, how do you distinguish 'security expert' from
'infiltrator'?
You *must* have decentralized systems/methods for this. There's no way
to combine data together, the best you can do is share techniques
which you can verify with your own logic -- except for blacklists like
SPEWS, and even then there are all sorts of politics and troubles.

-Nick

I have a related problem, but I am not sure if the source
IPs are nasty computers or just...

# lsof -ni:www
shows me lots of connections hanging in state CLOSE_WAIT
from some hosts (often in China). These used to eat all
sockets for httpd. Now I have a max-src-conn limit so
it is not a real problem any more.

I now also log hosts that succedes in getting many
sockets in CLOSE_WAIT, and they are still there.

What do the gurus say? What can I do about these hosts?



On Fri, Dec 07, 2007 at 09:51:52AM -0800, badeguruji wrote:
--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Tip.

Don't allow password challenge. Problem solved. Just use key'd ssh and this
problem disappears.


On 11/12/2007, Raimo Niskanen <raimo+openbsd@...> wrote:

On Tue, Dec 11, 2007 at 01:15:11AM +1300, Joel Wiramu Pauling wrote:
> Tip.
>
> Don't allow password challenge. Problem solved. Just use key'd ssh and this
> problem disappears.
>

Bin there, done that.

You answered the wrong question.

I want to know if and what I can do (on the server side) about HTTP
clients that put sockets on my httpd server in state CLOSE_WAIT and
thereby chew up all sockets for the server causing a kind of
denial of service state.

And yes, I have googled for "HPPT server socket CLOSE_WAIT" and
did not get much wiser.



--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

On 12/11/07, Raimo Niskanen <raimo+openbsd@...> wrote:
> I want to know if and what I can do (on the server side) about HTTP
> clients that put sockets on my httpd server in state CLOSE_WAIT and
> thereby chew up all sockets for the server causing a kind of
> denial of service state.
>
> And yes, I have googled for "HPPT server socket CLOSE_WAIT" and
> did not get much wiser.

If I understand correctly you could try synproxy states with pf and let these
states expire rapidly. If the states expire, I *think* pf should end the
connection completely, so your half-closed sockets don't get stale.
BUT perhaps I didn't get it at all and this makles no sense ;)

--knitti

Yep, synproxy in your answer for OpenBSD. For linux or freebsd, try
enabling syn cookies.

On Dec 11, 2007 5:43 AM, knitti <knitti@...> wrote:


--
Systems Programmer, Principal
Electrical & Computer Engineering
The University of Arizona
marti@...

Raimo Niskanen wrote:
I think you got the right answer many times so far, but you just refuse
to take the advise. People have told you many times to just use pf and
be done with it.

You just reply and dismiss them like one here:

"I was adviced for pf, but right now a simple ssh-config and
hosts.allow/deny is serving me fine. I will learn and use pf in due course."

> I want to know if and what I can do (on the server side) about HTTP
> clients that put sockets on my httpd server in state CLOSE_WAIT and
> thereby chew up all sockets for the server causing a kind of
> denial of service state.

People have giving you the answer over and over, but it is up to you to
listen tot he advise.

> And yes, I have googled for "HPPT server socket CLOSE_WAIT" and
> did not get much wiser.

I am not sure you actually did, but I will give you the benefit here.

Again, the same answer and same advise. Get with it and use pf.

If you google it, you would have seen exactly the answer and example to
your question here yet again using pf:

http://openbsd.org/faq/pf/filter.html#synproxy

It one thing to ask for help and advise, users here have given you
plenty of really good one, it's an other to refuse it, dismiss it and
come back saving no one tell you the answer, or provide you answer to
the wrong question.

The answer to your problem is just to use PF, or may be the real problem
is between the monitor and the chair.

Please, just read on it and do it right and stop telling people are not
helping you. They are and they give you the right answer, but you refuse
them.
  Your computer(s), your choice, that I get it, but then don't say you
don't get help.

Great FAQ on PF and it's easy to read:

Spend the same amount of time reading it as you write emails and you
will know it much better then I looks like.

http://openbsd.org/faq/pf/

If you want more then read great docs on it here:

http://www.bsdly.net/~peter/pf.html

and if that still not answering your questions, then get the book:

http://nostarch.com/frameset.php?startat=pf

So far ALL the answers to your various questions on the subject and the
variation of it is to use PF, so just do it.

Hope this help you some.

Best,

Daniel

On 2007/12/11 09:40, Marti Martinez wrote:
> Yep, synproxy in your answer for OpenBSD. For linux or freebsd, try
> enabling syn cookies.

synproxy works at the start of the connection, not the end.

CLOSE_WAIT is the state where the network stack waits for
the application (httpd) to close the connection after receiving
the client's FIN.