Cabrillo College Linux Classes

[Rich Simms]

It doesn't take very long!

I temporarily opened port 22 (used port forwarding) on my home network to allow incoming ssh connections to my Arwen VM. This was the contingency plan in case I was unable to use Hershey for the POP, SMTP and IMAP exercises Tuesday night.

I started getting logwatch reports the very next day of attempts to break into the VM from the Internet!

Failed logins from:
62.140.23.205 (s5205.evanzo-server.de): 8 times
66.7.212.31 (66.7.212.31.static.dimenoc.com): 9 times
195.206.96.30 (smtpproxy.easyserver.at): 1 time
200.184.182.205 (200-184-182-205.convex.com.br): 5 times

Illegal users from:
66.7.212.31 (66.7.212.31.static.dimenoc.com): 273 times
195.206.96.30 (smtpproxy.easyserver.at): 78 times
200.184.182.205 (200-184-182-205.convex.com.br): 135 times
201.0.145.106 (201-0-145-106.dial-up.telesp.net.br): 1 time

Here are some of the bad user ID's they tried:

[root@arwen ~]# lastb | sort | cut -f1 -d' ' | grep -v ^$ | uniq -c | sort -g | tail -25
4 install
4 invite
4 leo
4 luciana
4 monika
4 next
4 nicole
4 oscar
4 paul
4 simona
4 start
4 t1na
4 temp
4 transfer
6 admin
6 test
8 hlds
10 shoutcas
10 teamspea
10 zabbix
12 informix
14 root
18 bwadmin
20 PlcmSpIp
20 ts
[root@arwen ~]#

If you have port 22 open on your home network (via port forwarding through the NAT) then be sure and read those logwatch reports using /bin/mail!

- Rich

[marcromansky]

It's great how this internet thing has allowed people from all over the world to attempt to get into your bits!