This was funny, someone tried to break into my account with thousands and thousands multiple attempts with differing passwords ... really interesting to observe ... here's an example ...

\%/@rd

"anonymous"
"123456"
"admin"
"root"
"password"
"123123"
"123"
"pass1234"
"ftp"
"ftpftp"
"ftp1"
"ftp123"
"ftp2016"
"ftp2015"
"ftp!"
""
"P@ssw0rd!!"
"qwa123"
"12345678"
"test"
"123qwe!@#"
"123456789"
"123321"
"1314520"
"159357"
"ftp2017"
"666666"
"woaini"
"fuckyou"
"000000"
"1234567890"
"8888888"
"qwerty"
"1qaz2wsx"
"abc123"
"abc123456"
"1q2w3e4r"
"123qwe"
"ftp2019"
"ftp2018"
"p@ssw0rd"
"p@55w0rd"
"password!"
"p@ssw0rd!"
"password1"
"r00t"
"tomcat"
"5201314"
"system"
"pass"
"1234"
"12345"
"1234567"
"devry"
"111111"
"admin123"
"derok010101"
"windows"
"email@email.com"
"qazxswedc`123"
"qwerty123456"
"qazxswedc"

--- DB4 - 20230201
* Origin: Many Glacier - Preserve / Protect / Conserve (2:292/854)

Hi Ward,

On 2024-03-06 13:36:37, you wrote to All:

This was funny, someone tried to break into my account

"account"? For what service?

with thousands and thousands multiple attempts with differing
passwords ... really interesting to observe ...

Nothing new...

root@ubuntu:/var/log# grep 'Invalid user' auth.log | wc -l
26865

This is for a period of 3,5 days on a public server. They are all ssh login attempts with password authentication. Which will never work even if they correctly "guessed" a user and password combination. Because only authentication with keys is allowed on this server.

I see the same on all public servers I administer.


Bye, Wilfred.

--- FMail-lnx64 2.2.1.1
* Origin: FMail development HQ (2:280/464)

Wilfred,

This was funny, someone tried to break into my account

"account"? For what service?

Private account, private server delivering services to the gymnastics community.

\%/@rd

--- DB4 - 20230201
* Origin: Many Glacier - Preserve / Protect / Conserve (2:292/854)

Hello Ward!

06 Mar 24 13:36, you wrote to all:

This was funny, someone tried to break into my account with thousands
and thousands multiple attempts with differing passwords ... really interesting to observe ... here's an example ...

\%/@rd

"anonymous"
"123456"
"admin"
"root"
"password"
"123123"
"123"

Clearly a dictionnary attack. Very likely the popular "rockyou" wordlist that every budding hacker is taught to use.
The wordlist contains the passwords from the many data leaks over the years and it's the very first list they will usually try on a target.

# zcat /usr/share/wordlists/rockyou.txt.gz | wc -l
14344392

Chris


--- GoldED+/LNX 1.1.5--b20170303
* Origin: ----> SPARK BBS (2:292/2226)

Hello Wilfred!

root@ubuntu:/var/log# grep 'Invalid user' auth.log | wc -l
26865

If not already done, I encourage you to use fail2ban as a first barrier.
Next you could filter the netblocks from countries you don't expect to receive traffic from and add iptables rules to drop the packets received from them.
You can browse to https://www.ipdeny.com/ipblocks/data/aggregated/ to download the lists per country.

If you're interested I got a python script that can do the job. The only thing to do is set a crontab to periodically download the lists and update the iptable rules.

Hope it helps,
Christian


--- GoldED+/LNX 1.1.5--b20170303
* Origin: ----> SPARK BBS (2:292/2226)

Hi Christian,

On 2024-03-12 15:34:10, you wrote to me:

root@ubuntu:/var/log# grep 'Invalid user' auth.log | wc -l
26865

If not already done, I encourage you to use fail2ban as a first barrier.

That was the first thing I did install after writing the message! ;-)

Next you could filter the netblocks from countries you don't expect to receive traffic from and add iptables rules to drop the packets
received from them. You can browse to https://www.ipdeny.com/ipblocks/data/aggregated/ to download the lists
per country.

That's a fast moving target. So you need to update (very) often...

If you're interested I got a python script that can do the job. The
only thing to do is set a crontab to periodically download the lists
and update the iptable rules.

Yes thanks! That would be interesting!


Bye, Wilfred.

--- FMail-lnx64 2.2.1.1
* Origin: FMail development HQ (2:280/464)

Hello Wilfred!

12 Mar 24 16:31, you wrote to me:

Hi Christian,

Next you could filter the netblocks from countries you don't
expect to receive traffic from and add iptables rules to drop the
packets received from them. You can browse to
https://www.ipdeny.com/ipblocks/data/aggregated/ to download the
lists per country.

That's a fast moving target. So you need to update (very) often...

Personally I update in a crontab @reboot and every day

If you're interested I got a python script that can do the job.

Yes thanks! That would be interesting!

Here it is :

-+- snip ---
# -*- coding: utf-8 -*-
import subprocess, logging

COUNTRIES = "AT,BE,BG,HR,CY,CZ,DK,EE,FI,FR,DE,GR,HU,IE,IT,LV,LT,LU,MT,NL,PL,PT,RO,SK,SI,ES,SE,GB, IN, UA, US, EG,SA, RW,NG,ZA, IS"

COUNTRIES = [country.strip().lower() for country in COUNTRIES.split(',')]

FAMILY = "ipv4"

CHAIN = "COUNTRIES"
TARGET = "RETURN"
PRE_RULES = ["-s 10.0.0.0/8 -j RETURN"]
POST_RULES = ["-j LOGIPS", "-j DROP"]

logging.basicConfig(level=logging.INFO)


TEST = """10.0.10.3/32
"""

def run(command, silent=False):
ret = subprocess.call(command, shell=True)
if ret:
logger = logging.warning
elif silent == False:
logger = logging.info
else:
logger = lambda x: None
logger("%s: %s" % (ret, command))

def append_rule(rule):
command = "/usr/sbin/iptables -A %s %s" % (CHAIN, rule)
run(command)

def download(country):
url = "http://www.ipdeny.com/ipblocks/data/aggregated/%s-aggregated.zone" % country
try:
import urllib.request
logging.debug("retrieving %s" % url)
data = urllib.request.urlopen(url).read().decode('utf-8')
logging.debug("%s: %i lines" % (country, len(data.splitlines())))
return data
except:
try:
import urllib2
data = urllib2.urlopen(url).read()
logging.debug("%s: %i lines" % (country, len(data.splitlines())))
return data
except:
raise

command = "/usr/sbin/iptables -F %s" % CHAIN
run(command)

for rule in PRE_RULES:
command = "/usr/sbin/iptables -A %s %s" % (CHAIN, rule)
run(command)

for country in COUNTRIES:
try:
ipset_name = "%s-%s" % (FAMILY, country)
command = "/usr/sbin/ipset list -terse %s-%s >/dev/null 2>&1 || /usr/sbin/ipset create %s-%s hash:net family %s" % (FAMILY, country, FAMILY, country, FAMILY)
run(command)
ranges = download(country)
for range in ranges.splitlines():
range = range.strip()
if range:
command = "/usr/sbin/ipset -A -exist -quiet %s %s" % (ipset_name, range)
run(command, silent=True)

command = "/usr/sbin/iptables -A %s -p tcp -m set --match-set %s src -j %s" % (CHAIN, ipset_name, TARGET)
run(command)
except:
logging.exception("error while processing %s" % ipset_name)

for rule in POST_RULES:
command = "/usr/sbin/iptables -A %s %s" % (CHAIN, rule)
run(command)

-+- /snip ---

Hope it helps,
Christian


--- GoldED+/LNX 1.1.5--b20170303
* Origin: ----> SPARK BBS (2:292/2226)

Hi Christian,

On 2024-03-14 13:14:38, you wrote to me:

If you're interested I got a python script that can do the job.

Yes thanks! That would be interesting!

Here it is :

Thanks! I'll have a look at it.

# -*- coding: utf-8 -*-

Is that a line that was added automatically by your editor?

Bye, Wilfred.

--- FMail-lnx64 2.2.1.1
* Origin: FMail development HQ (2:280/464)