bad guys??

[rmvg]

I have a bunch of these in my logs it is very late and i am very tired thought i would throw up this post quick.

did an nslookup on the ip

tokyo.computerking.ca > /usr/local/etc/postfix #nslookup 61.129.117.112
Server: computerking.ca
Address: 192.168.0.202

*** computerking.ca can't find 61.129.117.112: Non-existent host/domain

whois gives me big hosting company in china

10 21:31:40 shoemasters sshd(pam_unix)[13928]: check pass; user unknown
Mar 10 21:31:40 shoemasters sshd(pam_unix)[13928]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:31:44 shoemasters sshd(pam_unix)[13930]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112 user=mysql
Mar 10 21:31:49 shoemasters sshd(pam_unix)[13932]: check pass; user unknown
Mar 10 21:31:49 shoemasters sshd(pam_unix)[13932]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:31:54 shoemasters sshd(pam_unix)[13934]: check pass; user unknown
Mar 10 21:31:54 shoemasters sshd(pam_unix)[13934]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:31:59 shoemasters sshd(pam_unix)[13936]: check pass; user unknown
Mar 10 21:31:59 shoemasters sshd(pam_unix)[13936]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:04 shoemasters sshd(pam_unix)[13938]: check pass; user unknown
Mar 10 21:32:04 shoemasters sshd(pam_unix)[13938]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:09 shoemasters sshd(pam_unix)[13940]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112 user=named
Mar 10 21:32:14 shoemasters sshd(pam_unix)[13942]: check pass; user unknown
Mar 10 21:32:14 shoemasters sshd(pam_unix)[13942]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:19 shoemasters sshd(pam_unix)[13944]: check pass; user unknown
Mar 10 21:32:19 shoemasters sshd(pam_unix)[13944]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:23 shoemasters sshd(pam_unix)[13946]: check pass; user unknown
Mar 10 21:32:23 shoemasters sshd(pam_unix)[13946]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:29 shoemasters sshd(pam_unix)[13948]: check pass; user unknown
Mar 10 21:32:29 shoemasters sshd(pam_unix)[13948]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:35 shoemasters sshd(pam_unix)[13962]: check pass; user unknown
Mar 10 21:32:35 shoemasters sshd(pam_unix)[13962]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112
Mar 10 21:32:40 shoemasters sshd(pam_unix)[14006]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.129.117.112 user=test

[KevinH]

Just block the IP at your firewall.

[rmvg]

Speaking of which is there a list of ports i need for zimbra somewhere?

[marcmac]

search the forums

[rmvg]

While im on this string of questions that have little or no bearing on Zimbra like badguys and firewalls. I have one more to get out of my system I'm sure this one is in the docs but i cannot seem to find it there or on the forums. When i click remeber me on this computer on the login screen zimbra does seem to remeber me but not for long enough is there a way to set this and where?

[KevinH]

While im on this string of questions that have little or no bearing on Zimbra like badguys and firewalls. I have one more to get out of my system I'm sure this one is in the docs but i cannot seem to find it there or on the forums. When i click remeber me on this computer on the login screen zimbra does seem to remeber me but not for long enough is there a way to set this and where?

It's not changeable. All we remember is the user name. You'll still have to enter the password as your auth token doesn't last forever. You can set the auth token time in the admin UI.

[mjfleck2000]

Just block the IP at your firewall.

I think you may wind up adding ALOT of IPs to your firewall rules. I noticed ssh probes as soon as I had my Zimbra machine up on the Internet... from many different IPs. Almost all of them looked like automated (scripted) ssh probes. They would try name, after name, after name for ssh.

Two suggestions.

1) Rather than block IPs, have a default rule of DENY in your firewall. Then, add ALLOW rules for only those IPs that you want. All other IPs are dropped on the floor.

2) Add "AllowUsers yourname " to your sshd_config file. So, even if they get through your firewall, and even if they have an account on your zimbra machine, only yourname will be allowed to make a ssh connection.

Mike
North Idaho Eye Institute

[andreychek]

I have a bunch of these in my logs it is very late and i am very tired thought i would throw up this post quick.

Yeah, as some other folks suggested, blocking those with firewall rules might leave you with a ton of firewall rules, as well as creating more work for yourself.

Might I recommend looking into pam_abl (abl == auto black list).

Basically, after PAM sees a certain about of failed login attempts from a certain host, it denies access to that host for a configurable amount of time.

For example, you can say that if a given host has 10 failed login attempts within an hour, block access for a day or two.

Some people bring up the fact that if you screw up, you could end up blocking yourself out of your box. Well, that may be true... though, in all my time on Linux, I'm not sure I've ever had 10 failed login attempts in an hour.

That said, there's another way around this....

You can setup port forwarding on an alternate port... perhaps 443 (assuming you have a second IP which Zimbra isn't using). You could port forward port 443 to port 22 on your server.... and in the pam_abl list, you can tell it to ignore certain hosts.

In this case, you'd tell it to ignore itself... the IP your port 443 was coming from. That way, you always have another way into your box, and scripts don't generally scan for ssh running on alternate ports.

Just a thought.

Have a good one,
-Eric

pam_abl: http://www.hexten.net/pam_abl/