Thread: Possible attack?
View Single Post
  #10 (permalink)  
Old 09-19-2008, 08:12 PM
Tim Greer
Guest
  
Posts: n/a
Default Re: Possible attack?
Anon E. Muss wrote:

> I recently noticed excessive acitivity on my router's activity LED and
> did a little investigating. As immediate action, I used a big hammer
> and firewalled off 218/8 until I can figure out what is going on here.
> Yesterday, it was 201/8.
>
> Below is most of output of netstat. Can someone let me know what is
> going on here? SynFlood?? Also, any suggestions??
>
> ===== BEGIN =====
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 x-xx-x-xx-xx.xxxxxxxx:37775 218.25.160.246:ssh
> TIME_WAIT
> tcp 0 0 x-xx-x-xx-xx.lsa:safetynetp 218.25.17.78:ssh
> TIME_WAIT

<snip -- you only need to paste in the relevant portions, people might
ignore your post if it's too large>

This simply looks like a brute force attack to guess valid usernames or
actually log into the system. This is something that happens to
millions of systems every day, all over the world on the Internet.

You should only allow access to the SSH port (as well as FTP and
anything else) that only you want access to, to only your IP. If it's
local, you can set the router to deny any incoming requests, especially
to ports like this. You can also shut down SSH on your local system if
you don't have a reason to run it for incoming connections. Same with
any unneeded service.

The router/firewall should block any incoming connections to your system
on any port, and only allow incoming for trusted connections that you
want/need for some reason. Always also shut down and block any
accesses to services on the system itself anyway, in case the firewall
is somehow bypassed or compromised.

Obviously, the rest of the rules apply as well, such as keeping things
up to date, a good, secure configuration, firewalls on the system and
router (or hardware firewall if you use one), shutting down services
you don't need, and so on.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Reply With Quote