Shain Singh wrote:
>>What does TCP transmission string mean in wireshark?
>>
>>
>
> Here is a good link to read up on a little bit about TCP retransmits (which
> are not exactly a bad thing):
> http://thenetworkguy.typepad.com/nau/2008/03/a-tale-of-five.html
> Having a LOT of retransmits can be due a a number of reasons and most
> troubleshooting usually starts occurring from looking at the network.
>
>
>
>
>>Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification
>>string from 68.168.113.155
>>Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from
>>68.168.113.155
>>Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth):
>>authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>>rhost=68.168.113.155
>>Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user
>>webmaster from 68.168.113.155 port 33025 ssh2
>>Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155
>>Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth):
>>authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>>rhost=68.168.113.155
>>Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user
>>admin from 68.168.113.155 port 33304 ssh2
>>Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth):
>>authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>>rhost=68.168.113.155 user=root
>>Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from
>>68.168.113.155 port 33514 ssh2
>>
>>
>
> Ok, so all the above is showing is that the IP 68.168.113.155 is trying a
> dictionary based attack of usernames against your publicly accessible SSH
> server on 'server02'.
I have an automated log check for sshd invalid user or failed password.
Multiple entries cause the culprits go in iptables, together with the
entire allocated netblock. My net, my rules.
GloboTech Communications GTCOMM (NET-68-168-112-0-1) 68.168.112.0 -
68.168.127.255
Genious Communications GTCOMM-579 (NET-68-168-113-128-1) 68.168.113.128
- 68.168.113.159
has not found their way into iptables - yet, but would get
-A INPUT -s 68.168.112.0/255.255.240.0 -p tcp -j LOGDROP
where
-A LOGDROP -j ULOG --ulog-prefix "IPTdrop" --ulog-qthreshold 5
-A LOGDROP -j DROP
Andrew
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who