• Break in attempt

    From Ward Dossche@2:292/854 to All on Wednesday, March 06, 2024 13:36:37
    This was funny, someone tried to break into my account with thousands and thousands multiple attempts with differing passwords ... really interesting to observe ... here's an example ...

    \%/@rd

    "anonymous"
    "123456"
    "admin"
    "root"
    "password"
    "123123"
    "123"
    "pass1234"
    "ftp"
    "ftpftp"
    "ftp1"
    "ftp123"
    "ftp2016"
    "ftp2015"
    "ftp!"
    ""
    "P@ssw0rd!!"
    "qwa123"
    "12345678"
    "test"
    "123qwe!@#"
    "123456789"
    "123321"
    "1314520"
    "159357"
    "ftp2017"
    "666666"
    "woaini"
    "fuckyou"
    "000000"
    "1234567890"
    "8888888"
    "qwerty"
    "1qaz2wsx"
    "abc123"
    "abc123456"
    "1q2w3e4r"
    "123qwe"
    "ftp2019"
    "ftp2018"
    "p@ssw0rd"
    "p@55w0rd"
    "password!"
    "p@ssw0rd!"
    "password1"
    "r00t"
    "tomcat"
    "5201314"
    "system"
    "pass"
    "1234"
    "12345"
    "1234567"
    "devry"
    "111111"
    "admin123"
    "derok010101"
    "windows"
    "email@email.com"
    "qazxswedc`123"
    "qwerty123456"
    "qazxswedc"

    --- DB4 - 20230201
    * Origin: Many Glacier - Preserve / Protect / Conserve (2:292/854)
  • From Wilfred van Velzen@2:280/464 to Ward Dossche on Wednesday, March 06, 2024 13:48:43
    Hi Ward,

    On 2024-03-06 13:36:37, you wrote to All:

    This was funny, someone tried to break into my account

    "account"? For what service?

    with thousands and thousands multiple attempts with differing
    passwords ... really interesting to observe ...

    Nothing new...

    root@ubuntu:/var/log# grep 'Invalid user' auth.log | wc -l
    26865

    This is for a period of 3,5 days on a public server. They are all ssh login attempts with password authentication. Which will never work even if they correctly "guessed" a user and password combination. Because only authentication with keys is allowed on this server.

    I see the same on all public servers I administer.


    Bye, Wilfred.

    --- FMail-lnx64 2.2.1.1
    * Origin: FMail development HQ (2:280/464)
  • From Ward Dossche@2:292/854 to Wilfred van Velzen on Wednesday, March 06, 2024 14:10:01
    Wilfred,

    This was funny, someone tried to break into my account

    "account"? For what service?

    Private account, private server delivering services to the gymnastics community.

    \%/@rd

    --- DB4 - 20230201
    * Origin: Many Glacier - Preserve / Protect / Conserve (2:292/854)
  • From Christian Vanguers@2:292/2226 to Ward Dossche on Tuesday, March 12, 2024 15:20:54

    Hello Ward!

    06 Mar 24 13:36, you wrote to all:

    This was funny, someone tried to break into my account with thousands
    and thousands multiple attempts with differing passwords ... really interesting to observe ... here's an example ...

    \%/@rd

    "anonymous"
    "123456"
    "admin"
    "root"
    "password"
    "123123"
    "123"

    Clearly a dictionnary attack. Very likely the popular "rockyou" wordlist that every budding hacker is taught to use.
    The wordlist contains the passwords from the many data leaks over the years and it's the very first list they will usually try on a target.

    # zcat /usr/share/wordlists/rockyou.txt.gz | wc -l
    14344392

    Chris


    --- GoldED+/LNX 1.1.5--b20170303
    * Origin: ----> SPARK BBS (2:292/2226)
  • From Christian Vanguers@2:292/2226 to Wilfred van Velzen on Tuesday, March 12, 2024 15:34:10

    Hello Wilfred!

    root@ubuntu:/var/log# grep 'Invalid user' auth.log | wc -l
    26865

    If not already done, I encourage you to use fail2ban as a first barrier.
    Next you could filter the netblocks from countries you don't expect to receive traffic from and add iptables rules to drop the packets received from them.
    You can browse to https://www.ipdeny.com/ipblocks/data/aggregated/ to download the lists per country.

    If you're interested I got a python script that can do the job. The only thing to do is set a crontab to periodically download the lists and update the iptable rules.

    Hope it helps,
    Christian


    --- GoldED+/LNX 1.1.5--b20170303
    * Origin: ----> SPARK BBS (2:292/2226)
  • From Wilfred van Velzen@2:280/464 to Christian Vanguers on Tuesday, March 12, 2024 16:31:32
    Hi Christian,

    On 2024-03-12 15:34:10, you wrote to me:

    root@ubuntu:/var/log# grep 'Invalid user' auth.log | wc -l
    26865

    If not already done, I encourage you to use fail2ban as a first barrier.

    That was the first thing I did install after writing the message! ;-)

    Next you could filter the netblocks from countries you don't expect to receive traffic from and add iptables rules to drop the packets
    received from them. You can browse to https://www.ipdeny.com/ipblocks/data/aggregated/ to download the lists
    per country.

    That's a fast moving target. So you need to update (very) often...

    If you're interested I got a python script that can do the job. The
    only thing to do is set a crontab to periodically download the lists
    and update the iptable rules.

    Yes thanks! That would be interesting!


    Bye, Wilfred.

    --- FMail-lnx64 2.2.1.1
    * Origin: FMail development HQ (2:280/464)
  • From Christian Vanguers@2:292/2226 to Wilfred van Velzen on Thursday, March 14, 2024 13:14:38

    Hello Wilfred!

    12 Mar 24 16:31, you wrote to me:

    Hi Christian,

    Next you could filter the netblocks from countries you don't
    expect to receive traffic from and add iptables rules to drop the
    packets received from them. You can browse to
    https://www.ipdeny.com/ipblocks/data/aggregated/ to download the
    lists per country.

    That's a fast moving target. So you need to update (very) often...

    Personally I update in a crontab @reboot and every day

    If you're interested I got a python script that can do the job.
    Yes thanks! That would be interesting!

    Here it is :

    -+- snip ---
    # -*- coding: utf-8 -*-
    import subprocess, logging

    COUNTRIES = "AT,BE,BG,HR,CY,CZ,DK,EE,FI,FR,DE,GR,HU,IE,IT,LV,LT,LU,MT,NL,PL,PT,RO,SK,SI,ES,SE,GB, IN, UA, US, EG,SA, RW,NG,ZA, IS"

    COUNTRIES = [country.strip().lower() for country in COUNTRIES.split(',')]

    FAMILY = "ipv4"

    CHAIN = "COUNTRIES"
    TARGET = "RETURN"
    PRE_RULES = ["-s 10.0.0.0/8 -j RETURN"]
    POST_RULES = ["-j LOGIPS", "-j DROP"]

    logging.basicConfig(level=logging.INFO)


    TEST = """10.0.10.3/32
    """

    def run(command, silent=False):
    ret = subprocess.call(command, shell=True)
    if ret:
    logger = logging.warning
    elif silent == False:
    logger = logging.info
    else:
    logger = lambda x: None
    logger("%s: %s" % (ret, command))

    def append_rule(rule):
    command = "/usr/sbin/iptables -A %s %s" % (CHAIN, rule)
    run(command)

    def download(country):
    url = "http://www.ipdeny.com/ipblocks/data/aggregated/%s-aggregated.zone" % country
    try:
    import urllib.request
    logging.debug("retrieving %s" % url)
    data = urllib.request.urlopen(url).read().decode('utf-8')
    logging.debug("%s: %i lines" % (country, len(data.splitlines())))
    return data
    except:
    try:
    import urllib2
    data = urllib2.urlopen(url).read()
    logging.debug("%s: %i lines" % (country, len(data.splitlines())))
    return data
    except:
    raise

    command = "/usr/sbin/iptables -F %s" % CHAIN
    run(command)

    for rule in PRE_RULES:
    command = "/usr/sbin/iptables -A %s %s" % (CHAIN, rule)
    run(command)

    for country in COUNTRIES:
    try:
    ipset_name = "%s-%s" % (FAMILY, country)
    command = "/usr/sbin/ipset list -terse %s-%s >/dev/null 2>&1 || /usr/sbin/ipset create %s-%s hash:net family %s" % (FAMILY, country, FAMILY, country, FAMILY)
    run(command)
    ranges = download(country)
    for range in ranges.splitlines():
    range = range.strip()
    if range:
    command = "/usr/sbin/ipset -A -exist -quiet %s %s" % (ipset_name, range)
    run(command, silent=True)

    command = "/usr/sbin/iptables -A %s -p tcp -m set --match-set %s src -j %s" % (CHAIN, ipset_name, TARGET)
    run(command)
    except:
    logging.exception("error while processing %s" % ipset_name)

    for rule in POST_RULES:
    command = "/usr/sbin/iptables -A %s %s" % (CHAIN, rule)
    run(command)

    -+- /snip ---

    Hope it helps,
    Christian


    --- GoldED+/LNX 1.1.5--b20170303
    * Origin: ----> SPARK BBS (2:292/2226)
  • From Wilfred van Velzen@2:280/464 to Christian Vanguers on Thursday, March 14, 2024 13:32:57
    Hi Christian,

    On 2024-03-14 13:14:38, you wrote to me:

    If you're interested I got a python script that can do the job.
    Yes thanks! That would be interesting!

    Here it is :

    Thanks! I'll have a look at it.

    # -*- coding: utf-8 -*-

    Is that a line that was added automatically by your editor?

    Bye, Wilfred.

    --- FMail-lnx64 2.2.1.1
    * Origin: FMail development HQ (2:280/464)