Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Someone really wants to get access to my network
eftpos

74 posts

Master Geek
+1 received by user: 16


#190780 12-Jan-2016 08:35
Send private message

Just got into the office this morning and pages and pages and pages of log files.............some of the 'guessed' usernames are priceless though

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
johnr
19282 posts

Uber Geek
+1 received by user: 2526
Inactive user


  #1468175 12-Jan-2016 08:43
Send private message

Can't read the user names



eftpos

74 posts

Master Geek
+1 received by user: 16


  #1468191 12-Jan-2016 08:53
Send private message

image link

Click to see full size

Sounddude
I fix stuff!
1935 posts

Uber Geek
+1 received by user: 640

Trusted
2degrees
Lifetime subscriber

  #1468195 12-Jan-2016 09:01
Send private message

ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



spearsniper
133 posts

Master Geek
+1 received by user: 65


  #1468196 12-Jan-2016 09:01
Send private message

Not so stupid guesses at your usernames. They successfully got the admin one.

eftpos

74 posts

Master Geek
+1 received by user: 16


  #1468198 12-Jan-2016 09:04
Send private message

spearsniper: Not so stupid guesses at your usernames. They successfully got the admin one.


true, there are only two active usernames in any case.

PolicyGuy
1820 posts

Uber Geek
+1 received by user: 1769

ID Verified
Lifetime subscriber

  #1468200 12-Jan-2016 09:05
Send private message

222.184.0.0 - 222.191.255.255 is assigned to CHINANET JIANGSU, 260 Zhongyang Road,Nanjing 210037, PRC.
Might be worth reporting to "abuse-mailbox: anti-spam@ns.chinanet.cn.net"

 
 
 
 

Shop now at Mighty Ape (affiliate link).
eftpos

74 posts

Master Geek
+1 received by user: 16


  #1468201 12-Jan-2016 09:06
Send private message

Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

Pehesis
38 posts

Geek
+1 received by user: 7


  #1468214 12-Jan-2016 09:16
Send private message

Hi

Save your logs and report them. You can do a quick whois search using the IP address and get the necessary contact info you could also contact APNIC. The pic is a little blury i think the 2 IP addresses is see are

222.186.34.56 and 112.54.83.53 both trying to access your IP via Telnet and SSH. Do you have external access to both those services if you do and dont use them i would shut them down on your firewall. If you use them change the ports to something only you would know if you haven't done so already.

eftpos

74 posts

Master Geek
+1 received by user: 16


  #1468216 12-Jan-2016 09:20
Send private message

Pehesis: Hi

Save your logs and report them. You can do a quick whois search using the IP address and get the necessary contact info you could also contact APNIC. The pic is a little blury i think the 2 IP addresses is see are

222.186.34.56 and 112.54.83.53 both trying to access your IP via Telnet and SSH. Do you have external access to both those services if you do and dont use them i would shut them down on your firewall. If you use them change the ports to something only you would know if you haven't done so already.


Been working through that this morning and extracting the details from the logs and sending them to our ISP.

Got a suggestion earlier to change the ports but means having to reprogram all the existing terminals and managed sites. May look at finding a way to implement that over the coming weeks.

johnr
19282 posts

Uber Geek
+1 received by user: 2526
Inactive user


  #1468219 12-Jan-2016 09:23
Send private message

Use ssh keys

cisconz
cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified
Trusted
Lifetime subscriber

  #1468224 12-Jan-2016 09:28
Send private message

Unless you need SSH and Telnet - do this




Hmmmm

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
eftpos

74 posts

Master Geek
+1 received by user: 16


  #1468226 12-Jan-2016 09:30
Send private message

cisconz: Unless you need SSH and Telnet - do this





Do need both. But will be investigating a change of ports and working out how to roll that out to the temrinals that use our server.

cisconz
cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified
Trusted
Lifetime subscriber

  #1468231 12-Jan-2016 09:35
Send private message

eftpos:
cisconz: Unless you need SSH and Telnet - do this


Do need both. But will be investigating a change of ports and working out how to roll that out to the temrinals that use our server.


From a specific IP or from everywhere?




Hmmmm

Dairyxox
1595 posts

Uber Geek
+1 received by user: 455


  #1468243 12-Jan-2016 09:55
Send private message

eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.

eftpos

74 posts

Master Geek
+1 received by user: 16


  #1468248 12-Jan-2016 09:59
Send private message

Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright