Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


74 posts

Master Geek
+1 received by user: 16


Topic # 190780 12-Jan-2016 08:35
Send private message

Just got into the office this morning and pages and pages and pages of log files.............some of the 'guessed' usernames are priceless though






View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1468175 12-Jan-2016 08:43
Send private message

Can't read the user names



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468191 12-Jan-2016 08:53
Send private message

image link

Click to see full size


I fix stuff!
1693 posts

Uber Geek
+1 received by user: 363

Trusted
Vocus
Subscriber

  Reply # 1468195 12-Jan-2016 09:01
4 people support this post
Send private message

ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.


130 posts

Master Geek
+1 received by user: 59


  Reply # 1468196 12-Jan-2016 09:01
One person supports this post
Send private message

Not so stupid guesses at your usernames. They successfully got the admin one.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468198 12-Jan-2016 09:04
Send private message

spearsniper: Not so stupid guesses at your usernames. They successfully got the admin one.


true, there are only two active usernames in any case.

184 posts

Master Geek
+1 received by user: 79

Subscriber

  Reply # 1468200 12-Jan-2016 09:05
Send private message

222.184.0.0 - 222.191.255.255 is assigned to CHINANET JIANGSU, 260 Zhongyang Road,Nanjing 210037, PRC.
Might be worth reporting to "abuse-mailbox: anti-spam@ns.chinanet.cn.net"



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468201 12-Jan-2016 09:06
Send private message

Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.

38 posts

Geek
+1 received by user: 7


  Reply # 1468214 12-Jan-2016 09:16
Send private message

Hi

Save your logs and report them. You can do a quick whois search using the IP address and get the necessary contact info you could also contact APNIC. The pic is a little blury i think the 2 IP addresses is see are

222.186.34.56 and 112.54.83.53 both trying to access your IP via Telnet and SSH. Do you have external access to both those services if you do and dont use them i would shut them down on your firewall. If you use them change the ports to something only you would know if you haven't done so already.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468216 12-Jan-2016 09:20
Send private message

Pehesis: Hi

Save your logs and report them. You can do a quick whois search using the IP address and get the necessary contact info you could also contact APNIC. The pic is a little blury i think the 2 IP addresses is see are

222.186.34.56 and 112.54.83.53 both trying to access your IP via Telnet and SSH. Do you have external access to both those services if you do and dont use them i would shut them down on your firewall. If you use them change the ports to something only you would know if you haven't done so already.


Been working through that this morning and extracting the details from the logs and sending them to our ISP.

Got a suggestion earlier to change the ports but means having to reprogram all the existing terminals and managed sites. May look at finding a way to implement that over the coming weeks.

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1468219 12-Jan-2016 09:23
Send private message

Use ssh keys

cisconz
1189 posts

Uber Geek
+1 received by user: 78

Trusted
Lifetime subscriber

  Reply # 1468224 12-Jan-2016 09:28
Send private message

Unless you need SSH and Telnet - do this





Hmmmm




74 posts

Master Geek
+1 received by user: 16


  Reply # 1468226 12-Jan-2016 09:30
Send private message

cisconz: Unless you need SSH and Telnet - do this





Do need both. But will be investigating a change of ports and working out how to roll that out to the temrinals that use our server.

cisconz
1189 posts

Uber Geek
+1 received by user: 78

Trusted
Lifetime subscriber

  Reply # 1468231 12-Jan-2016 09:35
Send private message

eftpos:
cisconz: Unless you need SSH and Telnet - do this


Do need both. But will be investigating a change of ports and working out how to roll that out to the temrinals that use our server.


From a specific IP or from everywhere?




Hmmmm


1406 posts

Uber Geek
+1 received by user: 371


  Reply # 1468243 12-Jan-2016 09:55
Send private message

eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.



74 posts

Master Geek
+1 received by user: 16


  Reply # 1468248 12-Jan-2016 09:59
Send private message

Dairyxox:
eftpos:
Sounddude: ssh bot

Fairly common once an open ssh port is detected. They will be trying username/passwords from known guessable password dictionary.

If you are running linux highly recommend using fail2ban


Also really not a good idea having telnet open to the world.



We use telnet however to do terminal diagnostics from various sites so too hard to isolate incoming IP's. Found it easier to have a near 18 character password and a ridiculous username.


Surely only allowing whitelist IP access would be beneficial, even if its a bit of a hassle to setup.


I agree and it would be my option of choice however:

Mobile based terminals connecting to Voda and Spark - DHCP
Terminals get moved from one branch to another - Different external IP (we aren't always notified)


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.