September 2013 Archives
With all the fuss over NSA intrusion into encrypted datastreams, I thought I'd take a look at the security situation on my own website. To that end, I wrote some perl to fondle the log files and keep a record of who's logging in and who's getting kept out.
Top 10 users accepted:
Only one user is accepted at all and that user is me. As I normally ssh in with a public key, I think this is pretty secure. I'm not giving usernames, just because. Also, all IP addresses accepted are either local addresses, or the remote address I was at recently.
Top 10 usernames rejected:
Here's where it gets interesting: there are hundreds of attempted logins per day via ssh. I keep a years worth of logs, so over the last year the top 20 usernames someone tried to use to log in with are:
- USER_REJ: testing rejected 438 times.
- USER_REJ: tester rejected 447 times.
- USER_REJ: temp rejected 505 times.
- USER_REJ: www rejected 536 times.
- USER_REJ: testuser rejected 541 times.
- USER_REJ: web rejected 545 times.
- USER_REJ: test1 rejected 545 times.
- USER_REJ: alex rejected 592 times.
- USER_REJ: backup rejected 671 times.
- USER_REJ: ftpuser rejected 758 times.
- USER_REJ: tomcat rejected 767 times.
- USER_REJ: info rejected 777 times.
- USER_REJ: git rejected 890 times.
- USER_REJ: postgres rejected 1351 times.
- USER_REJ: user rejected 1520 times.
- USER_REJ: a rejected 1559 times.
- USER_REJ: nagios rejected 2181 times.
- USER_REJ: admin rejected 2295 times.
- USER_REJ: test rejected 4052 times.
- USER_REJ: oracle rejected 4088 times.
What's interesting here is the huge gap between the top 20: almost 10 times the frequency. Also, how many are trying to log in via ssh as the standard user for services. If you allow SSH as the standard service name for popular services, you are an idiot and asking for trouble.
Top 20 rejected IP addresses
So where am I being hacked from the most? Over the last year, the logs tell the following story.
- IP_REJ: 220.127.116.11 probed 1825 times. iWeb Technologies Inc. IWEB-BLK-04 (NET-67-205-64-0-1) 18.104.22.168 - 22.214.171.124
- IP_REJ: 126.96.36.199 probed 1869 times. CNC Group CHINA169 Shandong Province Network
- IP_REJ: 188.8.131.52 probed 1931 times. Indonesia
- IP_REJ: 184.108.40.206 probed 2245 times. h1762348.stratoserver.net, Berlin.
- IP_REJ: 220.127.116.11 probed 2366 times. CHINANET-ZJ Hangzhou node network
- IP_REJ: 18.104.22.168 probed 2542 times. HZDTV-IDC, China Zhejiang Province.
- IP_REJ: 22.214.171.124 probed 2546 times. CHINANET liaoning province network
- IP_REJ: 126.96.36.199 probed 2585 times. Hangzhou, Zhejiang, P.R.China
- IP_REJ: 188.8.131.52 probed 2594 times. Hyundai HCN Dongjak Systems Co., Ltd, Korea
- IP_REJ: 184.108.40.206 probed 2698 times. 2F Bundang Center, Onse IDC, 235-230, Korea
- IP_REJ: 220.127.116.11 probed 2947 times. vps2.barnes-open.net
- IP_REJ: 18.104.22.168 probed 3194 times. Chulalongkorn University, Thailand
- IP_REJ: 22.214.171.124 probed 3321 times. CHINANET Guizhou province network
- IP_REJ: 126.96.36.199 probed 4199 times. Hangzhou Alibaba Advertising Co.,Ltd, China
- IP_REJ: 188.8.131.52 probed 4768 times. Starhub internet, Singapore
- IP_REJ: 184.108.40.206 probed 5218 times. China Mobile Communications Corporation - liaoning
- IP_REJ: 220.127.116.11 probed 5704 times. Beijing Bitone United Networks Technology Service Co.,Ltd, China
- IP_REJ: 18.104.22.168 probed 8212 times. Hangzhou NEWGRAND Software Co., Ltd, China
- IP_REJ: 22.214.171.124 probed 12834 times. FIT Center, Tsinghua University, Beijing China
- IP_REJ: 126.96.36.199 probed 16360 times. WASU TV & Communication Holding Co.,Ltd. 6/F, Jian Gong Building, NO.20 Wen San Road, Hangzhou, Zhejiang province, P.R.China 310012
That's a heck of a lot of illegal accessing attempts from China... Remember, this is not website accesses, these are attempted logins over ssh. There is no way any of this is mistaken SSH, as only I have login access to this box. All of these login attempts are malicious. If you are operating a commercial SSH service and you have no customers in China, you should block the whole damn country.
But who is vps2.barnes-open.net? It's almost the only non-Asian attacker in the whole list. Whois returns:
Registrant Name: Steve Barnes Registrant Organization: BarnesSteve Registrant Street: Shop1, 676 Wynnum Road, Registrant City: Morningside, Brisbane Queensland
Why is this guy, or someone using his services, trying to login to my ssh server? (Or was, the entries are from April 2013.) And why is he trying to log in as user admin? He's also tried dictionary attacks using a variety of first names and service names. Nearly 3,000 attempts? That's no accident, this site was clearly either compromised or is black hat.
Previously, I've blogged about the poor reliability of Shure canal phones, headphones, etc. I've had one set replaced at least twice because one ear would just decrease in volume enough that you couldn't hear anything. Both times, I did genuinely get a different set of SE215 with new serial numbers.
If they do this during the two year warranty period, Shure will replace them free of charge. After that time, you will be held responsible for a cleaning/replacement charge. At this point, you may well feel that you should just buy another pair, as the repair charges are probably a significant proportion of the cost of buying another pair.
I discovered a way to get a pair of Shure SE215 back from the one ear dead state, and it's very simple. This has now worked for me twice, and may be worth a try if you are experiencing this issue *and* your Shures are out of warranty.
If they're in warranty, just take them to Shure and get them replaced.
My method is an act of desperation and is only applicable where: "My earphones are dead and I can't afford a new pair of Shures, and the affordable Ultimate Ears 200vi are crap. (I really don't need to hear that much wire jiggling noise, thankyewverymuch!)"
You will need:
- a pair of Shure earphones which have at least one ear blocked/silent;
- Contact cleaner spray;
- Weak Lemon Drink (or any beverage of your choice, really);
- A sense of desperation that you are willing to risk your headphones for this experimental procedure.
Please note (DISCLAIMER) that I accept no responsibility for any damage to your Shures, computer, lungs, environs, property, chattels and demesnes. You undertake this venture at your own risk. Contents may settle in transit. No motorcycles after 3PM.
The steps to follow are as follows:
- remove the silicon or foam tips from your headphones;
- bring your headphones to a place where spraying contact cleaner is safe and non offensive, and where there is good drainage. Bathrooms are good;
- spray a short burst of contact cleaner directly into the ear tubes of the headphones and immediately turn the headphones opening down to drain excess fluid out;
- DRINK YOUR WEAK LEMON DRINK NOW! (You will need to allow some time for the alcohol in the contact cleaner to evaporate, meanwhile excess earwax or other precious bodily fluids have been melted/synthesized and sent to the NSA/FBI/KGB for analysis and long term storage.);
- Excess alcohol in your weak lemon drink may need dissipating through fried food and carbohydrates.
- Test your headphones for good audio in both ears.
It may take a while for all the various substances to evaporate so be patient. You may need to DRINK YOUR WEAK LEMON DRINK a second time. You should probably pour another, rather than regurgitating the first drink. however, if you have insectoid ancestry, feel free to disgregard this advice.
- Unsolicited Bulk Email (spam), commercial solicitations, SEO related items, link exchange requests, and abuse are not welcome here and will result in complaints to your ISP.
- Any email to the above address may be made public at the sole discretion of the recipient.