Re: bandit13

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Havens
Date:  
To: Main PLUG discussion list
Subject: Re: bandit13
I just checked out the 91.189.91.24 and it is This is the default welcome
page used to test the correct operation of the Apache2 server after
installation on Ubuntu systems.
Why are these the source ip addresses?

:-)~MIKE~(-:

On Wed, Feb 4, 2015 at 11:46 PM, Michael Havens <> wrote:

> Okay Buddy,
>
> I just installed sshguard and have been reading and re-reading the man
> page and can't figure out how to look at the log file. Can you help me out?
>
> I was wondering.... how could I tell if a hacker got into my box?
>
> After looking around a little at
> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging I found
> that for what I started this morning the log is: /var/log/auth.log
> I just looked at that log and was wondering what it meant.
> It starts on Feb 1st and seems to just be repeating:
>
> Feb 1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb 1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session closed
> for user root
> Feb 1 07:50:33 c521 sudo: bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
> USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
> Feb 1 07:50:33 c521 sudo: pam_unix(sudo:session): session opened for user
> root by (uid=0)
> Feb 1 07:50:55 c521 sudo: pam_unix(sudo:session): session closed for user
> root
> Feb 1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb 1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session closed
> for user root
> Feb 1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb 1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session closed
> for user root
> Feb 1 08:20:33 c521 sudo: bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
> USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
> Feb 1 08:20:33 c521 sudo: pam_unix(sudo:session): session opened for user
> root by (uid=0)
> Feb 1 08:20:56 c521 sudo: pam_unix(sudo:session): session closed for user
> root
> Feb 1 08:39:01 c521 CRON[22100]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Feb 1 08:39:02 c521 CRON[22100]: pam_unix(cron:session): session closed
> for user root
> Feb 1 08:50:33 c521 sudo: bmike1 : TTY=unknown ; PWD=/home/bmike1 ;
> USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
> --etc--
>
> I then looked at the other logs in /var/log and saw ufw.log and ufw.log.1
> . ufw.log is empty while ufw.log.1 contains only stuff from JAN 26 & 27:
>
> Jan 26 14:22:52 c521 kernel: [ 175.220626] [UFW BLOCK] IN=eth0 OUT=
> MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10
> DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11536 PROTO=2
> Jan 26 14:22:55 c521 kernel: [ 178.348404] [UFW BLOCK] IN=eth0 OUT=
> MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10
> DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11553 PROTO=2
> Jan 27 10:30:43 c521 kernel: [72646.275669] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54164 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:44 c521 kernel: [72647.435192] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54362 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:46 c521 kernel: [72648.723882] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54637 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:48 c521 kernel: [72651.308359] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54687 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:30:53 c521 kernel: [72656.476479] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55145 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:31:04 c521 kernel: [72666.796199] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55407 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:31:24 c521 kernel: [72687.436850] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=58810 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
> Jan 27 10:32:06 c521 kernel: [72728.780502] [UFW BLOCK] IN=eth0 OUT=
> MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24
> DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=63010 DF PROTO=TCP
> SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0
>
> I just looked at the log. On the 26th it was blocking something from
> 192.168.0.10 . That is my home network! I haven't had 192.168.0.10 for at
> least a year.
>
> :-)~MIKE~(-:
>
> On Wed, Feb 4, 2015 at 2:44 PM, Todd Millecam <> wrote:
>
>> ufw should keep the rule permanent.
>>
>> There's a program/service that will keep track of this for you
>> automatically (and do the limit brute force, and block multiple failed
>> attempts) called sshguard. If you use that, you can see how many unique
>> IPs attempted to break into your system by reading your /etc/hosts.deny
>> file.
>>
>> For my public-facing servers, I get about 13 unique new attackers per day.
>>
>>
>>
>> On Wed, Feb 4, 2015 at 2:32 PM, Michael Havens <> wrote:
>>
>>> I was wondering.... I was playing bandit and on level 13 they say some
>>> suggested reading is https://help.ubuntu.com/community/SSH/OpenSSH/Keys
>>> . I was reasing that page and followed a link to
>>> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging
>>> because I always wondered how I could see how many log in attempts were
>>> made to my computer (not that I think anyone will crack my password which
>>> is greater than ten characters. Wait a second.... I do not think I ever set
>>> an ssh password. ...
>>> guys, my websearch has proven to be fruitless. what do you suggest I do?
>>>
>>> in any case, I was looking at the settings for openssh.config (or
>>> whatever the file is called) and happened upon:
>>>
>>>      Rate-limit the connections

>>>
>>> which happens to use ufw:
>>>
>>> sudo ufw limit ssh
>>>
>>> I was wondering if that command would turn it on permanently? After I
>>> entered the command it responded with something like 'new rule added' so I
>>> am assuming (I am not an ass!) that is so.
>>>
>>> I was wondering what should be changed?
>>> I am making loglevel Verbose
>>> :-)~MIKE~(-:
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> Todd Millecam
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss