Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




74 posts

Master Geek
+1 received by user: 16


Topic # 190780 12-Jan-2016 08:35
Send private message

Just got into the office this morning and pages and pages and pages of log files.............some of the 'guessed' usernames are priceless though






View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1468175 12-Jan-2016 08:43
Send private message

Can't read the user names



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468191 12-Jan-2016 08:53
Send private message

image link

Click to see full size


 
 
 
 


I fix stuff!
1740 posts

Uber Geek
+1 received by user: 421

Trusted
Vocus
Subscriber

  Reply # 1468195 12-Jan-2016 09:01
4 people support this post
Send private message

ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.


130 posts

Master Geek
+1 received by user: 59


  Reply # 1468196 12-Jan-2016 09:01
One person supports this post
Send private message

Not so stupid guesses at your usernames. They successfully got the admin one.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468198 12-Jan-2016 09:04
Send private message

spearsniper: Not so stupid guesses at your usernames. They successfully got the admin one.


true, there are only two active usernames in any case.

302 posts

Ultimate Geek
+1 received by user: 163

Lifetime subscriber

  Reply # 1468200 12-Jan-2016 09:05
Send private message

222.184.0.0 - 222.191.255.255 is assigned to CHINANET JIANGSU, 260 Zhongyang Road,Nanjing 210037, PRC.
Might be worth reporting to "abuse-mailbox: anti-spam@ns.chinanet.cn.net"



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468201 12-Jan-2016 09:06
Send private message

Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

38 posts

Geek
+1 received by user: 7


  Reply # 1468214 12-Jan-2016 09:16
Send private message

Hi

Save your logs and report them. You can do a quick whois search using the IP address and get the necessary contact info you could also contact APNIC. The pic is a little blury i think the 2 IP addresses is see are

222.186.34.56 and 112.54.83.53 both trying to access your IP via Telnet and SSH. Do you have external access to both those services if you do and dont use them i would shut them down on your firewall. If you use them change the ports to something only you would know if you haven't done so already.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468216 12-Jan-2016 09:20
Send private message

Pehesis: Hi

Save your logs and report them. You can do a quick whois search using the IP address and get the necessary contact info you could also contact APNIC. The pic is a little blury i think the 2 IP addresses is see are

222.186.34.56 and 112.54.83.53 both trying to access your IP via Telnet and SSH. Do you have external access to both those services if you do and dont use them i would shut them down on your firewall. If you use them change the ports to something only you would know if you haven't done so already.


Been working through that this morning and extracting the details from the logs and sending them to our ISP.

Got a suggestion earlier to change the ports but means having to reprogram all the existing terminals and managed sites. May look at finding a way to implement that over the coming weeks.

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1468219 12-Jan-2016 09:23
Send private message

Use ssh keys

cisconz
1206 posts

Uber Geek
+1 received by user: 88

Trusted
Lifetime subscriber

  Reply # 1468224 12-Jan-2016 09:28
Send private message

Unless you need SSH and Telnet - do this





Hmmmm




74 posts

Master Geek
+1 received by user: 16


  Reply # 1468226 12-Jan-2016 09:30
Send private message

cisconz: Unless you need SSH and Telnet - do this





Do need both. But will be investigating a change of ports and working out how to roll that out to the temrinals that use our server.

cisconz
1206 posts

Uber Geek
+1 received by user: 88

Trusted
Lifetime subscriber

  Reply # 1468231 12-Jan-2016 09:35
Send private message

eftpos:
cisconz: Unless you need SSH and Telnet - do this


Do need both. But will be investigating a change of ports and working out how to roll that out to the temrinals that use our server.


From a specific IP or from everywhere?




Hmmmm


1456 posts

Uber Geek
+1 received by user: 382


  Reply # 1468243 12-Jan-2016 09:55
Send private message

eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468248 12-Jan-2016 09:59
Send private message

Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.