Unsere Server-Kunden werden regelmäßig durch uns daran erinnert, ihre eingesetzte Server-Software und ihr Betriebssystem aktuell zu halten, um Hackerangriffen vorzubeugen. Tja, und heute erwischt es uns mal selbst. Zugegebenermaßen ein Server, der bei uns im Büro steht und eher ein Schattendasein führt. Er beherbergt im Grunde lediglich den Webcam-Server, der die schönen Fotos bei uns aus dem Büro in alle Welt ausliefert. Die Kiste wurde leider etwas vernachlässigt und irgendwann erhält man dann eine E-Mail wie diese:
It appears that a user from your network has been trying to hack into our web server. We respectfully request that you investigate this incident as soon as possible and that this person immediately cease and desist from further brute force attacks on our server. See our servers Brute Force Detection log below.
Thank you for your cooperation in this matter.
Hostmaster
AZRiver.comThe remote system 123.123.123.123 was found to have exceeded acceptable login failures on dedicated.azriver.com; there was 152 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.
Executed ban command:
/etc/apf/apf -d 123.123.123.123 {bfd.sshd}The following are event logs from 123.123.123.123 on service sshd (all time stamps are GMT -0700):
Mar 2 07:59:27 dedicated sshd[12037]: Received disconnect from ::ffff:123.123.123.123: 11: Bye Bye
Mar 2 07:59:28 dedicated sshd[12048]: Invalid user administrator from ::ffff:123.123.123.123
Mar 2 07:59:31 dedicated sshd[12048]: Failed password for invalid user administrator from ::ffff:123.123.123.123 port 52433 ssh2
Mar 2 07:59:32 dedicated sshd[12049]: Received disconnect from ::ffff:123.123.123.123: 11: Bye Bye
Mar 2 07:59:32 dedicated sshd[12051]: Failed password for root from ::ffff:123.123.123.123 port 51506 ssh[...]
