I know this is not directly backtrack related but I figured since it's security related you guys may find it interesting so, mods feel free to remove this if you wish.
I want to begin by saying I'm just a home user, I don't work for any large corporation or anything like that so to me this came as *somewhat* of a surprise.
I normally have port 22 forwarded with ssh running on it. This morning I decided to mess with my network and try to attack it remotely, apparently I wasn't the only one.
I don't know what made me do it, but I decided to do a quick
and I quickly noticed 3 other unknown ip addresses had also tried to attack my ssh service just within the last couple days. One of the ip address had just been attacking minutes before I had looked at the log. The others were yesterday before I had tried attacking myself.Code:cat /var/log/auth.log
after a quick panic followed by me ripping cords out of the wall... lol I regained my composure and shut down my ssh service, and closed down my forwarded ports. I made a record of the attacks from the auth.log, nmap scans of the attacking addresses, and a reverse ip lookup of the attacking addresses.
an interesting note..... one of the reverse lookups came back listed on a real time blocking list by sorbs(spam and open relay blocking system)
im sure the attacker(s) was/were probably behind a proxy but two addresses were traced to china the other was inside the u.s.
as I said I don't work for a corporation or anything like that so I don't see any reason for me to be targeted... The only thing I can think of is maybe someone just used a service like shodan or a similar search engine and targeted me just because of the fact I had the service running and they thought they may be able to exploit it.
EDIT: I just thought about another reason for possibly being targeted. A popular search on shodan is webcam... I personally have a security camera setup on my network that would possibly put me under those search results, and bring attention to my ip address.
two attackers were trying all kinds of random usernames/passwords and the other was only attacking the root account.
from what I can see in the logs, no one was able to gain access.
If you're running services like this on your system check your logs more often you might be surprised!
I personally just play with backtrack as a means of educating myself to further secure my home network, but I know a lot of you guys on are actually security professionals and system admins for large corporations. What do you guys do in these situations. What are your methods for intrusion detection and how should I go about locking down my system.
also is there anywhere else I should look to make sure no one has gained access, and where would you go from here?
and questions, comments, or advice are welcome and appreciated