Ubuntu Server attack? how to solve?
- by saky
Hello,
Something (Someone) is sending out UDP packets sent from our whole ip range. This seems to be multicast DNS.
Our server host provided this (Our IP Address is masked with XX):
Jun 3 11:02:13 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
Jun 3 11:02:23 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
Jun 3 11:02:32 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
Jun 3 11:02:35 webserver kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT=
MAC=01:00:5e:00:00:fb:00:30:48:94:46:c4:08:00 SRC=193.23X.21X.XX
DST=224.0.0.251 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353
DPT=5353 LEN=53
I checked my /var/log/auth.log file and found out that someone from China (Using ip-locator) was trying to get in to the server using ssh.
...
Jun 3 11:32:00 server2 sshd[28511]: Failed password for root from 202.100.108.25 port 39047 ssh2
Jun 3 11:32:08 server2 sshd[28514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.100.108.25 user=root
Jun 3 11:32:09 server2 sshd[28514]: Failed password for root from 202.100.108.25 port 39756 ssh2
Jun 3 11:32:16 server2 sshd[28516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.100.108.25 user=root
...
I have blocked that IP address using this command: sudo iptables -A INPUT -s 202.100.108.25 -j DROP
However, I have no clue about the UDP multicasting, what is doing this? who is doing it? and how I can stop it?
Anyone know?