Skip to content

Intro

Nach langer Zeit habe ich mich entschlossen,
ja, mal wieder ein blog zu basteln.
Hier gehts wie zuvor um Wirres, honeypots und malware.

Alles was hier geschrieben wird ist vollkommen ernst zu nehmen. ;-)

corona entertainment: I FINK U FREEKY' by DIE ANTWOORD



I Fink U Freeky
Die Antwoord
Sexy boys
Fancy boys
Playboys
Bad boys
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
Motherfuckers get buzzed off the sparks that I bring
Guess whose got the party jumping
Travel the dark and all the pumping
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
I fink u freeky and I like you a lot
Hold up!
Whoah whoah whoah
Wait a minute minute Jesus Christ
Yo my man DJ Hi-Tek,
Shit this motherfucking beat is nice
Back in the day them wankies
Didn't wanna believe…
Ready for the diss, yo?
Motherfucker guess so
Overseas when the fucking heads get blown
When every thing will seem like
Dr. Dre beats headphones
When I get home I lounge on my zef throne, mate
Mom after me cause I get so great
making my money rapping over techno rave
I can take you underworld lets go babe
When I step up and do my thing put you in a trance
My Zef motherfucking clique got it going on
Fuck what you think I do what I motherfucking want
I can make a million little mutherfuckers jump
Jump motherfucker
Jump motherfucker jump
Jump motherfucker
Jump motherfucker jump
Jump motherfucker
Jump motherfucker jump
Jump motherfucker
Jump motherfucker jump
Increase the peace, don't wreck the party

missing: fuck the system ;-)

And fuck da jol up for everybody
Ek's a laarney, jy's a gam
Want jy lam innie mang, met jou slang in a man
I fink u freeky and I like you a lot
Now why you loer en kyk gelyk?
Is ek miskien van goud gemake?
You want to fight, you come tonight
Ek moer jou sleg! So jy hardloop weg
God se Jesus, we come to party
Pump your speakers, yo rock your body
In God we trust, You can't fuck with us
We not taking kak, I'd like to say what's up
To my sexy boys, and my fancy boys
And my playboys, and my bad boys
And my pretty boys, and my ugly boys
And my naughty boys
We gonna have a nice time kids
I fink u freeky and I like you a lot

corona entertainment: Pain - shut your mouth



Sie haben mir nicht geglaubt.

Shut Your Mouth
P.A.I.N.
The only thing I ever wanted
The only thing I ever needed
Is my own way, I gotta have it all
I don't want your opinion, I don't need your ideas
Stay the fuck out of my face, stay away from me
I am my own God, I do as I please
Just wipe your own ass and shut your mouth
I had enough and you're going down
Shut your mouth
What comes around you know goes around
My mind is playing tricks on me
I am not as stable as I used to be
Pushed and shoved, you know you're going too far
I will not break my back for you no more
I am gonna go my way, I am gonna take control
Time to wake up and dig myself out of this hell
Just wipe your own ass and shut your mouth
I had enough and you're going down
Shut your mouth…

Distributed bruteforce attacks against sshd on non common ports fail2ban cant help?

maxetry = jojo

hab da im chan was aufgeschnappt.

Also da war einer in ##security und hat von massig Attacken auf seinen sshd erzählt,

obwohl der auf einem non common port läuft und er fail2ban drauf hat.

Also hab ich mal in meine auth.log geschaut, ein script für meinen ircloggger gebastelt
und das Ergebnis war erschreckend.

Im FLOOOOD!

Hier ein kleiner snip-snap:
CODE:
    <br /> <srvb0t> May  2 21:40:58 h2871494 sshd[32215]: Failed password for invalid user jenkins from 51.75.66.142 port 36262 ssh2<br /> <srvb0t> May  2 21:40:58 h2871494 sshd[32215]: Received disconnect from 51.75.66.142 port 36262:11: Bye Bye [preauth]<br /> <srvb0t> May  2 21:40:58 h2871494 sshd[32215]: Disconnected from invalid user jenkins 51.75.66.142 port 36262 [preauth]<br /> <srvb0t> May  2 21:41:14 h2871494 sshd[32217]: Invalid user garibaldi from 51.68.174.177 port 43958<br /> <srvb0t> May  2 21:41:14 h2871494 sshd[32217]: pam_unix(sshd:auth): check pass; user unknown<br /> <srvb0t> May  2 21:41:14 h2871494 sshd[32217]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.68.174.177<br /> <srvb0t> May  2 21:41:16 h2871494 sshd[32217]: Failed password for invalid user garibaldi from 51.68.174.177 port 43958 ssh2<br /> <srvb0t> May  2 21:41:16 h2871494 sshd[32217]: Received disconnect from 51.68.174.177 port 43958:11: Bye Bye [preauth]<br /> <srvb0t> May  2 21:41:16 h2871494 sshd[32217]: Disconnected from invalid user garibaldi 51.68.174.177 port 43958 [preauth]<br /> <srvb0t> May  2 21:41:49 h2871494 sshd[32224]: Invalid user telekom from 188.254.0.160 port 33900<br /> <srvb0t> May  2 21:41:49 h2871494 sshd[32224]: pam_unix(sshd:auth): check pass; user unknown<br /> <srvb0t> May  2 21:41:49 h2871494 sshd[32224]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.254.0.160<br /> <srvb0t> May  2 21:41:50 h2871494 sshd[32224]: Failed password for invalid user telekom from 188.254.0.160 port 33900 ssh2<br /> <srvb0t> May  2 21:41:50 h2871494 sshd[32224]: Received disconnect from 188.254.0.160 port 33900:11: Bye Bye [preauth]<br /> <srvb0t> May  2 21:41:50 h2871494 sshd[32224]: Disconnected from invalid user telekom 188.254.0.160 port 33900 [preauth]<br /> <srvb0t> May  2 21:41:51 h2871494 sshd[32227]: Invalid user serverpilot from 149.56.47.70 port 42620<br /> <srvb0t> May  2 21:41:51 h2871494 sshd[32227]: pam_unix(sshd:auth): check pass; user unknown<br /> <srvb0t> May  2 21:41:51 h2871494 sshd[32227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=149.56.47.70<br /> <srvb0t> May  2 21:41:53 h2871494 sshd[32227]: Failed password for invalid user serverpilot from 149.56.47.70 port 42620 ssh2<br /> <srvb0t> May  2 21:41:54 h2871494 sshd[32227]: Received disconnect from 149.56.47.70 port 42620:11: Bye Bye [preauth]<br /> <srvb0t> May  2 21:41:54 h2871494 sshd[32227]: Disconnected from invalid user serverpilot 149.56.47.70 port 42620 [preauth]<br /> <srvb0t> May  2 21:42:30 h2871494 sshd[32229]: Invalid user sinusbot from 218.1.18.78 port 38430<br /> <srvb0t> May  2 21:42:30 h2871494 sshd[32229]: pam_unix(sshd:auth): check pass; user unknown<br /> <srvb0t> May  2 21:42:30 h2871494 sshd[32229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.1.18.78<br /> <srvb0t> May  2 21:42:33 h2871494 sshd[32229]: Failed password for invalid user sinusbot from 218.1.18.78 port 38430 ssh2<br /> <srvb0t> May  2 21:42:33 h2871494 sshd[32229]: Received disconnect from 218.1.18.78 port 38430:11: Bye Bye [preauth]<br /> <srvb0t> May  2 21:42:33 h2871494 sshd[32229]: Disconnected from invalid user sinusbot 218.1.18.78 port 38430 [preauth]<br /> <srvb0t> May  2 21:42:43 h2871494 sshd[32231]: Invalid user ts3 from 159.89.157.75 port 44430<br /> <srvb0t> May  2 21:42:43 h2871494 sshd[32231]: pam_unix(sshd:auth): check pass; user unknown<br /> <srvb0t> May  2 21:42:43 h2871494 sshd[32231]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.157.75<br /> <srvb0t> May  2 21:42:45 h2871494 sshd[32231]: Failed password for invalid user ts3 from 159.89.157.75 port 44430 ssh2<br /> <srvb0t> May  2 21:42:45 h2871494 sshd[32231]: Received disconnect from 159.89.157.75 port 44430:11: Bye Bye [preauth]<br /> <srvb0t> May  2 21:42:45 h2871494 sshd[32231]: Disconnected from invalid user ts3 159.89.157.75 port 44430 [preauth]<br /> <srvb0t> May  2 21:42:54 h2871494 sshd[32234]: Invalid user blynk from 142.44.218.192 port 48084<br /> <srvb0t> May  2 21:42:54 h2871494 sshd[32234]: pam_unix(sshd:auth): check pass; user unknown<br /> <srvb0t> May  2 21:42:54 h2871494 sshd[32234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ss<br />


Die Angriffe scheinen auf die default Einstellungen in fail2ban eingerichtet zu sein.

Lösung:

Änderung in der jail.local:

[sshd]

ignoreips = your ddns ip or cidr <
z.B. ignoreips = humptydumpty.hopto.org , oder eure feste IP oder den CIDR

enabled = true

port = 722 zum beispiel, also euren port, wo sshd drauf horcht

Sonst könnt ihr fast alles so lassen ausser:

maxretry = 1

bantime =2h

:-)

Dann sollte Ruhe einkehren. Continue reading "Distributed bruteforce attacks against sshd on non common ports fail2ban cant help?"