[gull] Attaque SSH

Mon Dec 11 08:59:00 CET 2006

Bonjour,

En contrôlant une machine ce matin, j'ai constaté que je subissais une attaque 
en force brute sur ssh, soit:
netstat -ant
...
tcp        0      0 192.168.0.10:22         195.144.11.123:36608    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36801    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36417    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36806    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36935    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36423    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36292    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36740    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36164    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36549    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36997    TIME_WAIT
tcp        0      0 192.168.0.10:22         195.144.11.123:36613    TIME_WAIT
...
Et dans /var/log/auth.log
...
Dec 11 08:31:30 localhost sshd[16745]: Illegal user deodato from 
195.144.11.123
Dec 11 08:31:30 localhost sshd[16747]: Illegal user deon from 195.144.11.123
Dec 11 08:31:31 localhost sshd[16749]: Illegal user deonate from 
195.144.11.123
Dec 11 08:31:31 localhost sshd[16751]: Illegal user deondrae from 
195.144.11.123
Dec 11 08:31:31 localhost sshd[16753]: Illegal user deonta from 195.144.11.123
Dec 11 08:31:32 localhost sshd[16755]: Illegal user deontae from 
195.144.11.123
Dec 11 08:31:32 localhost sshd[16757]: Illegal user deonte from 195.144.11.123
Dec 11 08:31:33 localhost sshd[16759]: Illegal user deor from 195.144.11.123
Dec 11 08:31:33 localhost sshd[16761]: Illegal user deorwine from 
195.144.11.123
Dec 11 08:31:33 localhost sshd[16763]: Illegal user depeche from 
195.144.11.123
Dec 11 08:31:34 localhost sshd[16765]: Illegal user depping from 
195.144.11.123
Dec 11 08:31:34 localhost sshd[16767]: Illegal user depravity from 
195.144.11.123
Dec 11 08:31:35 localhost sshd[16769]: Illegal user depres from 195.144.11.123
Dec 11 08:31:35 localhost sshd[16771]: Illegal user dept from 195.144.11.123
Dec 11 08:31:35 localhost sshd[16773]: Illegal user deptestosterone from 
195.144.11.123
Dec 11 08:31:36 localhost sshd[16775]: Illegal user dequan from 195.144.11.123
...

Le temps de le firewaller et appliquer quelques scripts pour le futur, 
l'affaire fut réglée. 
Sur le plan légal, puis-je le dénoncer à son provider ? Est-ce complétement 
inutile, est-ce seulement un pc zombie ?

Blaise Vogel