[K12OSN] OT: Break-In report

Rob Asher rasher at paragould.k12.ar.us
Wed Jan 2 19:47:25 UTC 2008


I thought so too but setting NETWORKING_IPV6=no in /etc/sysconfig/network to disable IPv6 still returned the IP with the hex at the beginning.  Maybe there's another setting I missed to force IPv4 addresses only on CentOS 4.x?  I didn't spend much time trying to figure out why though since the CentOS 4.x machines were the only ones I had problems with.  Removing the hex from the beginning of the IP was the quickest/easiest way for me to just "make it work".  Prior to that, everything was done in /etc/hosts.allow instead of broken out to the sshd-notify script and worked fine.   

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#

### Pull Allowed SSH IP's from this file
sshd : /etc/sshd.hosts : allow
###

### Deny anyone logged in the ssh.denial.log file
# ALL : /var/log/ssh.denial.log : twist /bin/echo "%h has been banned from this server!"
ALL : /var/log/ssh.denial.log : DENY
###

### Notify and add to ban list
sshd : ALL : spawn ( \
/bin/echo -e "\n \
TCP Wrappers\: Connection Refused\n \
On Server\: $(uname -n)\n \
Process\: %d (pid %p)\n \
User\: %u\n \
Host\: %c\n \
IP\: %a\n \
Date\: $(date)\n \
" | /bin/mail -s "$(uname -n) Security Report %u@%h." you at whereever.com; \
/bin/echo %a >> /var/log/ssh.denial.log) & : DENY
###

###
ALL : ALL : allow
######################


Regards,
Rob



-------------------------------------
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169


>>> Nils Breunese <nils at breun.nl> 1/2/2008 12:17 PM >>>
Rob Asher wrote:

> There are a couple of things specific for RHEL/CentOS 4.x in the
> script.  For some reason the IP always begins with "::ffff:" hence
> removing it with sed.

By doing that you're converting an IPv6 address to an IPv4 address.

 From <http://en.wikipedia.org/wiki/IPv6>: "A sequence of 4 bytes at  
the end of an IPv6 address can also be written in decimal, using dots  
as separators. This notation is often used with compatibility  
addresses (see below). This addressing scheme is convenient when  
dealing with the mixed environment of IPv4 and IPv6 addresses. The  
general notation is of the form x:x:x:x:x:x:d.d.d.d where x's are the  
6 higher order hexadecimal digits whereas d's correspond to the  
decimal digits of lower order 8 bit pieces of address, as it is the  
IPv4 format. For example, ::ffff:12.34.56.78 is the same address  
as ::ffff:0c22:384e and 0:0:0:0:0:ffff:0c22:384e. Usage of this  
notation is deprecated and unsupported by numerous applications.

Additional information can be found in RFC 4291 - IP Version 6  
Addressing Architecture."

Nils Breunese.

_______________________________________________
K12OSN mailing list
K12OSN at redhat.com 
https://www.redhat.com/mailman/listinfo/k12osn 
For more info see <http://www.k12os.org>

-- 

This message has been scanned for viruses and dangerous content by The MailScanner at the Paragould School District, http://paragould.k12.ar.us, and is believed to be clean.









More information about the K12OSN mailing list