two attempted break-ins from Hong Kong & Italy

Hello,

I would like to announce two attempted but failed
break-in attempts to a computer that I have locally.

The first was someone from Italy, ip address
80.17.93.150 who attempted to break in via ssh,
using random user names and passwords.

inetnum: 80.17.93.128 - 80.17.93.159
netname: CONSORZIO-AGRARIO-PICENO
descr: CONSORZIO AGRARIO PICENO
country: IT
admin-c: FP27-RIPE
tech-c: FP27-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: INTERB-MNT
source: RIPE # Filtered
address: CONSORZIO AGRARIO PICENO
address: viale Indipendenza 2
address: I- 63100 Ascoli Piceno AP
address: Italy
nic-hdl: FP27-RIPE
source: RIPE # Filtered

The second from Hong Kong had the IP 210.17.180.83,
who wanted to log in via ssh as root.

Here is their info:

inetnum: 210.17.180.80 - 210.17.180.95
netname: SPORT_FIELD
descr: Sport Field Limited
person: PSN NOC
nic-hdl: PN2-AP
e-mail: noc@pacific.net.hk
address: 574, 1 TradeMart Drive,
address: HITEC, Kowloon Bay,
address: Hong Kong
phone: +85-226-201880
fax-no: +85-223-354520
country: HK
changed: noc@pacific.net.hk 20030825
mnt-by: MAINT-HKSUPER-AP
source: APNIC

I shall certainly be reporting this to the appropriate
authorities :)

YF

Re: two attempted break-ins from Hong Kong & Italy

>>>>> "yarmfelder" == yarmfelder writes:

yarmfelder> Hello, I would like to announce two attempted but failed
yarmfelder> break-in attempts to a computer that I have locally...

I would like to announce that the sun rose over my domicile this morning.
I will be informing the local weather bureau shortly...

--
Richard Silverman
res@qoxp.net

Re: two attempted break-ins from Hong Kong & Italy

yarmfelder@yahoo.com wrote:
> Hello,
>
> I would like to announce two attempted but failed
> break-in attempts to a computer that I have locally.
>
> The first was someone from Italy, ip address
> 80.17.93.150 who attempted to break in via ssh,
> using random user names and passwords.
>
> inetnum: 80.17.93.128 - 80.17.93.159
> netname: CONSORZIO-AGRARIO-PICENO
> descr: CONSORZIO AGRARIO PICENO
> country: IT
> admin-c: FP27-RIPE
> tech-c: FP27-RIPE
> status: ASSIGNED PA "status:" definitions
> mnt-by: INTERB-MNT
> source: RIPE # Filtered
> address: CONSORZIO AGRARIO PICENO
> address: viale Indipendenza 2
> address: I- 63100 Ascoli Piceno AP
> address: Italy
> nic-hdl: FP27-RIPE
> source: RIPE # Filtered
>
> The second from Hong Kong had the IP 210.17.180.83,
> who wanted to log in via ssh as root.
>
> Here is their info:
>
> inetnum: 210.17.180.80 - 210.17.180.95
> netname: SPORT_FIELD
> descr: Sport Field Limited
> person: PSN NOC
> nic-hdl: PN2-AP
> e-mail: noc@pacific.net.hk
> address: 574, 1 TradeMart Drive,
> address: HITEC, Kowloon Bay,
> address: Hong Kong
> phone: +85-226-201880
> fax-no: +85-223-354520
> country: HK
> changed: noc@pacific.net.hk 20030825
> mnt-by: MAINT-HKSUPER-AP
> source: APNIC
>
> I shall certainly be reporting this to the appropriate
> authorities :)
>
> YF

FWIW, you shall be shouting into the darkness. Practically, no one
cares and that's the reason for establishing personal computer security.

Q

Re: two attempted break-ins from Hong Kong & Italy

yarmfelder@yahoo.com wrote:
> I would like to announce two attempted but failed
> break-in attempts to a computer that I have locally.

We have 20.000 break-in attempts. I shall declare war to the world.

> I shall certainly be reporting this to the appropriate
> authorities :)

1. Who cares about those complains? Nobody, trust me.
2. Do you really care those IP are real? If the cracker is good...

Re: two attempted break-ins from Hong Kong & Italy

In article <1120574563.197809.108590@g43g2000cwa.googlegroups.com>,
yarmfelder@yahoo.com says...
> Hello,
>
> I would like to announce two attempted but failed
> break-in attempts to a computer that I have locally.
[snip]
> I shall certainly be reporting this to the appropriate
> authorities :)

I hate to tell you this, but you've offered nothing that indicates they
tried to "break-in" to your computer. Many of us have a number of IP's
that are scanned hourly (or faster) and consider it part of the
background chatter, increases some days, decreases others, but it's
always there.

If you were smart, you would have your computer/network protected by a
border device so that they can't reach your computer. You would also
have a block list setup so that most IP's outside your own country are
blocked from inbound access to your network.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Re: two attempted break-ins from Hong Kong & Italy

Sensei writes:

>yarmfelder@yahoo.com wrote:
>> I would like to announce two attempted but failed
>> break-in attempts to a computer that I have locally.

>We have 20.000 break-in attempts. I shall declare war to the world.

>> I shall certainly be reporting this to the appropriate
>> authorities :)

>1. Who cares about those complains? Nobody, trust me.
>2. Do you really care those IP are real? If the cracker is good...

Let me explain why you are getting such dismissive responses.
a) This happens all the time to everyone who has ssh open on their system .
And those sites are probably "innocent" sites which have been broken into
by the crackers who then launched the attack. Unfortunately there is little
you can do about it, except make sure that all you users use good
passwords.
b) Reporting this to this newsgroup certainly will not help. Again, those
sites are not unique, and if everyone reported such attempts, this
newsgroup would have 10000 posts a day, and would be useless for anything
else.

Re: two attempted break-ins from Hong Kong & Italy

Post removed (X-No-Archive: yes)

Re: two attempted break-ins from Hong Kong & Italy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unruh wrote:
> Let me explain why you are getting such dismissive responses.
> a) This happens all the time to everyone who has ssh open on their system .

I changed the public port for ssh to get rid of all the log spam myself. It
was driving me nuts.


- --
Frode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCyulANx8IkioE8tMRAkLQAJwMlN8c47KH+pEcd5EozEZaM/gHDACf TifG
hyUwbuVVsNJIe7+tYYOsOXY=
=KWLF
-----END PGP SIGNATURE-----

Re: two attempted break-ins from Hong Kong & Italy

Frode writes:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1

>Unruh wrote:
>> Let me explain why you are getting such dismissive responses.
>> a) This happens all the time to everyone who has ssh open on their system .

>I changed the public port for ssh to get rid of all the log spam myself. It
>was driving me nuts.

One way of doing it. It is just that all your users (including the putty
users) away from home have to remember which port it is on.
Mind you I put ssh onto port 80 on one of my machines after I was at a
location ( a university) where the firewall blocked all outgoing ports
except port 80

Re: two attempted break-ins from Hong Kong & Italy

Leythos wrote:

> If you were smart, you would have your computer/network protected by a
> border device

We have a wireless router. It blocks virtually all ports, but not ssh
since I use that. I could easily use a different port for ssh however.

> You would also
> have a block list setup so that most IP's outside your own country are
> blocked from inbound access to your network.

How do you suggest doing that? Let's suppose that hypothetically
I put .net .com .org in my hosts.allow. I'm under the impression
there are foreign sites with those endings. Or, I don't have a list
of which IP prefixes are for my region; where can I find one?

Thanks.

Re: two attempted break-ins from Hong Kong & Italy

Post removed (X-No-Archive: yes)

Re: two attempted break-ins from Hong Kong & Italy

Thanks for the advice. Incidentally, re the router,
can't I make it into a simple firewall by forwarding
most ports to a nonsense IP? Also VPN is something
I'd never use. I need just the basics.

Re: two attempted break-ins from Hong Kong & Italy

yarmfelder@yahoo.com writes:


>Thanks for the advice. Incidentally, re the router,
>can't I make it into a simple firewall by forwarding
>most ports to a nonsense IP? Also VPN is something
>I'd never use. I need just the basics.

Sheesh. Still going on about getting a few entries into your logs. Why
don't you just erase your logs every 5 min, that way you will not see them,
since that is what your problem seems to be. YOu have no concern about
security, it is about the image of security. ssh is fine. So what if poeple
try to knock on your ssh door. They do not get in. But no, there are thos
entries in the logs!!!!!!! Really important. Those log entries might bite
you or something.
ssh works. ssh does what you need. ssh is simply, not complex, but you want
to use something unkown and complex to replace something simple because of
some log entries.

Re: two attempted break-ins from Hong Kong & Italy

Combine ssh with port knocking.You'll be fine.Belive me.!!!

Ï "Unruh" Ýãñáøå óôï ìÞíõìá
news:daec3k$dom$1@nntp.itservices.ubc.ca...
> Sensei writes:
>
>>yarmfelder@yahoo.com wrote:
>>> I would like to announce two attempted but failed
>>> break-in attempts to a computer that I have locally.
>
>>We have 20.000 break-in attempts. I shall declare war to the world.
>
>>> I shall certainly be reporting this to the appropriate
>>> authorities :)
>
>>1. Who cares about those complains? Nobody, trust me.
>>2. Do you really care those IP are real? If the cracker is good...
>
> Let me explain why you are getting such dismissive responses.
> a) This happens all the time to everyone who has ssh open on their system
> .
> And those sites are probably "innocent" sites which have been broken into
> by the crackers who then launched the attack. Unfortunately there is
> little
> you can do about it, except make sure that all you users use good
> passwords.
> b) Reporting this to this newsgroup certainly will not help. Again, those
> sites are not unique, and if everyone reported such attempts, this
> newsgroup would have 10000 posts a day, and would be useless for anything
> else.
>