I rebooted my Linux box into Windows Vista several times in the last two days while moving things over to VMWare Fusion. All day today, my disk drive has given a little spin every two or three seconds.
When I first noticed it, I tried searching around with iostat and top to see if I had some process run amok. Finding nothing, I tried rebooting.
The magical reboot was not so magical. My machine was still merrily hitting the disk every couple seconds.
I searched around the web for “disk activity” linux and “disk activity” ubuntu. I found recommendations that I:
- Kill processes that poll for new media
- Eliminate access time tracking on my filesystem, and
- Set syslog not to flush some of its logs
All of those seemed bogus to me. None of them seemed like anything that would have changed yesterday or today. But, the last one got me thinking. What logs do I have that do get flushed on every message? Are any of them going batty today?
Sure enough, /var/log/auth.log was getting hit every two or three seconds. Someone was trying to guess logins on my machine.
; logname= uid=0 euid=0 tty=ssh ruser= rhost=nitro.xyzdns.net user=backup
May 28 04:57:59 evariste sshd[6966]: Failed password for backup from 209.51.159.
194 port 54874 ssh2
May 28 04:57:59 evariste sshd[6968]: Invalid user guest from 209.51.159.194
May 28 04:57:59 evariste sshd[6968]: pam_unix(sshd:auth): check pass; user unkno
wn
May 28 04:57:59 evariste sshd[6968]: pam_unix(sshd:auth): authentication failure
; logname= uid=0 euid=0 tty=ssh ruser= rhost=nitro.xyzdns.net
May 28 04:58:01 evariste sshd[6968]: Failed password for invalid user guest from
209.51.159.194 port 54992 ssh2
Looking back through the last week, I’ve had a few spats of bogus login attempts. Most of them were just four or five attempts in a row. This one today had gone for twelve hours.
I threw that IP address into /etc/hosts.deny. Now, all is quiet. Well, except my need to make sure I don’t let things go for twelve hours again….
You are nicer then I am. When that happens to me, I hunt the bastards down. 🙂
Well, I did the -thing and emailed the abuse contact at his ISP. But, I didn’t don an adult diaper, drive to Atlanta, and start following packets around.
That just shows your lack of commitment. 🙂
I used to do a non-intrusive port scan just to see what I was dealing with, and to see if I could get any more useful information.
I have been on the other side of that. I have gotten irate phone calls from people telling me to stop spamming or hacking their site, because the see the name “foobar.com” somewhere in the data. So I end up doing a little bit more to prove to them that it is not me. Since I do not manage the machine that is foobar.com anymore I am blissfully unaware of all the attacks it is subjected to these days.
How many attempts were done in that 12 hours? I usually kill those at a firewall level, just to lessen the burden.
There were 4,402 attempts from that IP address over the course of 12 hours. So, I guess that’s only an average of about one every 10 seconds. At around 5pm Central it was every two seconds.
I have a lame firewall at the moment. My choices were either to shut off port forwarding altogether or block it at the machine level. The machine mostly sits there as my home name server and home git hub. It is not overly taxed.
My previous firewall was lame in a totally different way. I couldn’t forward port 22 to port 22 on one machine and port 2222 to port 22 on a different machine. Feh.