Rantings of a Lunatic

Last night was the beginning of SxSW, which means that masses of mindless drones are in town for a music festival. As you can probably already guess, I love it when lots of people flock into the place that I live, and act like they are from here in a very short period of time. I don’t mind tourism. In fact, I love tourism. I enjoy watching people who aren’t from here while they are on vacation. However, I hate when everyone comes at once, because all of the sudden the order of life gets flipped, and these people from other places end up exerting their idiocy on everyone else. I know this is a part of life, and I learn to accept it and get around it, but, that doesn’t mean I can’t complain about it. One of the major problems of living in Austin on a day to day basis is that the infrastructure has not kept up with the population growth. The road system just isn’t expansive enough to deal with the number of cars on the road, and whenever new roads are added, they seem to be toll roads, so they sit unused. My feeling on toll roads is not the point here, my point is that on a good day we already have plenty of idiots who don’t know where they are or where they are going. Now we are going to temporarily add in tons of people who have even less of a clue where they are or where they are going, and randomly include alcohol into the mix. That just sounds like a good idea to me.
Knowing all of this, I should have taken my vacation now, and just left. Sort of like burning the houses and salting the earth when the viking ships appear on the horizon. I didn’t though, so I am here now, and I am just having to plan around it. In one positive twist of fate, its Spring Break, so the number of cars on the road during my morning commute is cut in almost half, so I don’t actually sit in traffic. Because of this, I would completely support a law denying UT students driver’s licenses. And before people complain, I would also willingly support an expansion of public transportation. I am eagerly awaiting consistent service on the metro line. When it comes time to leave, I am however into the method of just planning for it to take a long time to make it home. So, I am hanging around downtown for a while to let the congestion subside. Yesterday, I went with Evan to REI and Bookpeople after work to kill some time. I ended up getting a hat that I really liked, and was way to expensive, but, oh well. I will wear it, and it sort of makes me look like I would fit in with Castro’s Regime.

Viva La Revolución

Before I headed home, we decided not to go out and hangout at the packed bars for St. Patrick’s Day, so on the way I stopped by the grocery store, and got some fresh fish and some beer. Being St. Patrick’s Day, I of course got a 6 pack of Guiness. For the fish, it was a 1lb fillet of Steelhead Trout. When I got home, I put on some rice, and coated the trout in lemon juice, then sprinkled it liberally with dried rosemary leaves, salt-free lemon pepper and some sea salt. I then broiled it on the top rack for 5 minutes, and moved it down to the 4th rack for another 8 minutes. It was delicious. We had rice and peas on the side, and the Guiness to wash it down. Pardon my dirty coffee table, for some reason we tend to eat dinner there more often than not. I guess thats because I don’t really have a dining room, only a bar into the kitchen, and thats got a bunch of stuff on it right now.

Steelhead Trout and Guiness

So, I have recently made some changes to my computing environment at home. I will update the farm page soon, but, I haven’t finalized all the changes yet. I can say that I upgraded a motherboard, which allowed me to put all of the original parts back in my Dell Dimension E520n, and set it up as a FreeNAS NAS device. It had its own set of issues in setting it up, but, its currently running a Core2Duo @1.86Ghz, with 4Gb of RAM, and 4.5TB of HD space. I ended up setting it into a RaidZ ZFS filesystem, using 1 disk for parity. Which ends up giving me around 2.6TB of usable space I believe.
I have started copying most of my online data to the array, however, I had a problem with the EXT4 file system that my old Linux workstation used to run off of where the superblocks had become corrupted. I tried everything over the last 5 days to get it working, and had nothing but problems. One of the biggest problems was using a SATA -> USB bridge on my netbook to try and run fsck against it. At 12Mb/s, USB1.1 really sucks for any kind of serious data transfer, and when you consider that fsck is going to read the whole 500Gb, and then write the whole 500Gb, I may have gotten impatient one or two times, and killed it so that I could try to get it to go over the SATAII bus. I finally got it to repair the superblocks by booting from a Gparted Live CD with it connected into the SATAII ports last night. And now I am sitting here booted off of an Ubuntu 9.10 Live CD, so that I could mount my NAS over NFS, and salvage what data I could from the drive before I wipe it. I know of about 6 files that grew from 1.5Gb to about 17Gb in the corruption, and there are another 4 more that I saw had shrunk to 16Kb. I am not worried about any of those files, as I can always reconstitute them from backups in one way or another. Unfortunately, when I signed up for Uverse, I just let them use their router, and as I haven’t had to do too much inter-machine transport, I hadn’t ever noticed that it has a 100Mb switch built in. I am now really wishing I had a 1Gb switch, as I can litterally see where that is the weak point in my current setup.

Anyway, its transfering over, and I will salvage what I can. Then I will do a low-level clone of the drive in my Hackintosh, which is what I built with all of the upgrades that I had stuffed into the Dell over time, and expand its root drive from 250Gb to 500Gb. I already have TimeMachine backing up to a dataset on the NAS, and its sharing through with AFP just fine. I don’t have Zeroconf/Bonjour working correctly yet I don’t think, but, it does work if I use the Go -> Connect to server path, and I know how to do that, so I am not too worried about it.

So, I got home from work, and booted up my computer. While it booted, I turned back to the mail, to see what was in the coupon section, because I was planning on going grocery shopping tonight. When I finished with the mail, and was about to go take care of some other tasks, I noticed the icon on the menu bar for Little Snitch was blinking like mad. As I had only started up the computer, and it was just sitting at the finder, this caught me a little off guard, so I clicked the icon to investigate. The response from little snitch was that there were two processes of sshd with the ip address 218.107.139.2 running, and constantly transferring data. I am an IT guy, so, I have an array of ip addresses memorized, however, that was one I didn’t recognize, so I fired off a quick whois, to find out who was trying to ssh into my computer.

Here is the whois on the offender:

$ whois 218.107.139.2

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 218.0.0.0 – 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 2000-12-07
Updated: 2009-10-08

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2010-03-01 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
% [whois.apnic.net node-3]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 218.107.128.0 – 218.107.191.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: SY21-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-CNCGROUP
mnt-lower: MAINT-CNCGROUP-BJ
changed: hm-changed@apnic.net 20050407
source: APNIC

route: 218.104.0.0/14
descr: China Unicom CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060329
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail: hostmast@publicf.bta.net.cn
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: suny@publicf.bta.net.cn 19980824
changed: hm-changed@apnic.net 20060717
changed: hostmast@publicf.bta.net.cn 20090630
source: APNIC

The second thing I did, as I didn’t recognize a computer in China that I would have been connecting to was to kill the SSH service, (Remote Login in System Preferences -> Sharing). That instantly stopped the transfer of data, but, it didn’t really tell me what had been going on, so I started looking at the logs.

A quick scan through Console.app showed to me that the culprit hadn’t gained access, but was just trying dictionary attacks to find a username that was enabled. As I only installed Snow Leopard last night, I am not yet sure if I can configure sshd in any other way, or hopefully to run only off of keys, as that is generally presented as a more secure way of running it.

For the record, here is the output from /var/log/secure.log:

Mar 2 19:01:57 mr-texs-mac-pro sshd[327]: Invalid user admin from 218.107.139.2
Mar 2 19:01:59 mr-texs-mac-pro sshd[329]: Invalid user admin from 218.107.139.2
Mar 2 19:02:01 mr-texs-mac-pro sshd[331]: Invalid user admin from 218.107.139.2
Mar 2 19:02:03 mr-texs-mac-pro sshd[333]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:05 mr-texs-mac-pro sshd[335]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:07 mr-texs-mac-pro sshd[337]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:09 mr-texs-mac-pro sshd[339]: Invalid user tads from 218.107.139.2
Mar 2 19:02:11 mr-texs-mac-pro sshd[341]: Invalid user tads from 218.107.139.2
Mar 2 19:02:13 mr-texs-mac-pro sshd[343]: Invalid user tads from 218.107.139.2
Mar 2 19:02:15 mr-texs-mac-pro sshd[345]: Invalid user tip from 218.107.139.2
Mar 2 19:02:17 mr-texs-mac-pro sshd[347]: Invalid user tip from 218.107.139.2
Mar 2 19:02:19 mr-texs-mac-pro sshd[349]: Invalid user tip from 218.107.139.2
Mar 2 19:02:21 mr-texs-mac-pro sshd[351]: Invalid user myra from 218.107.139.2
Mar 2 19:02:22 mr-texs-mac-pro sshd[353]: Invalid user myra from 218.107.139.2
Mar 2 19:02:24 mr-texs-mac-pro sshd[355]: Invalid user myra from 218.107.139.2
Mar 2 19:02:26 mr-texs-mac-pro sshd[357]: Invalid user jack from 218.107.139.2
Mar 2 19:02:28 mr-texs-mac-pro sshd[359]: Invalid user jack from 218.107.139.2
Mar 2 19:02:30 mr-texs-mac-pro sshd[361]: Invalid user jack from 218.107.139.2
Mar 2 19:02:32 mr-texs-mac-pro sshd[363]: Invalid user sya from 218.107.139.2
Mar 2 19:02:33 mr-texs-mac-pro sshd[365]: Invalid user sya from 218.107.139.2
Mar 2 19:02:36 mr-texs-mac-pro sshd[367]: Invalid user sya from 218.107.139.2
Mar 2 19:02:38 mr-texs-mac-pro sshd[369]: Invalid user wang from 218.107.139.2
Mar 2 19:02:40 mr-texs-mac-pro sshd[371]: Invalid user wang from 218.107.139.2
Mar 2 19:02:42 mr-texs-mac-pro sshd[373]: Invalid user wang from 218.107.139.2
Mar 2 19:02:43 mr-texs-mac-pro sshd[375]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:45 mr-texs-mac-pro sshd[377]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:47 mr-texs-mac-pro sshd[379]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:49 mr-texs-mac-pro sshd[381]: Invalid user andres from 218.107.139.2
Mar 2 19:02:51 mr-texs-mac-pro sshd[383]: Invalid user andres from 218.107.139.2
Mar 2 19:02:53 mr-texs-mac-pro sshd[385]: Invalid user andres from 218.107.139.2
Mar 2 19:02:55 mr-texs-mac-pro sshd[387]: Invalid user barbara from 218.107.139.2
Mar 2 19:02:57 mr-texs-mac-pro sshd[389]: Invalid user barbara from 218.107.139.2
Mar 2 19:02:58 mr-texs-mac-pro sshd[391]: Invalid user barbara from 218.107.139.2
Mar 2 19:03:00 mr-texs-mac-pro sshd[393]: Invalid user adine from 218.107.139.2
Mar 2 19:03:02 mr-texs-mac-pro sshd[395]: Invalid user adine from 218.107.139.2
Mar 2 19:03:04 mr-texs-mac-pro sshd[397]: Invalid user adine from 218.107.139.2
Mar 2 19:03:06 mr-texs-mac-pro sshd[399]: Invalid user test from 218.107.139.2
Mar 2 19:03:08 mr-texs-mac-pro sshd[401]: Invalid user test from 218.107.139.2
Mar 2 19:03:10 mr-texs-mac-pro sshd[403]: Invalid user test from 218.107.139.2
Mar 2 19:03:12 mr-texs-mac-pro sshd[405]: Invalid user guest from 218.107.139.2
Mar 2 19:03:14 mr-texs-mac-pro sshd[407]: Invalid user guest from 218.107.139.2
Mar 2 19:03:16 mr-texs-mac-pro sshd[409]: Invalid user guest from 218.107.139.2
Mar 2 19:03:18 mr-texs-mac-pro sshd[411]: Invalid user db from 218.107.139.2
Mar 2 19:03:19 mr-texs-mac-pro sshd[413]: Invalid user db from 218.107.139.2
Mar 2 19:03:21 mr-texs-mac-pro sshd[415]: Invalid user db from 218.107.139.2
Mar 2 19:03:23 mr-texs-mac-pro sshd[417]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:25 mr-texs-mac-pro sshd[419]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:26 mr-texs-mac-pro sshd[421]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:28 mr-texs-mac-pro sshd[423]: Invalid user alan from 218.107.139.2
Mar 2 19:03:30 mr-texs-mac-pro sshd[425]: Invalid user albert from 218.107.139.2
Mar 2 19:03:32 mr-texs-mac-pro sshd[427]: Invalid user alberto from 218.107.139.2
Mar 2 19:03:34 mr-texs-mac-pro sshd[429]: Invalid user alex from 218.107.139.2
Mar 2 19:03:36 mr-texs-mac-pro sshd[431]: Invalid user alex from 218.107.139.2
Mar 2 19:03:38 mr-texs-mac-pro sshd[433]: Invalid user alex from 218.107.139.2
Mar 2 19:03:40 mr-texs-mac-pro sshd[435]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:42 mr-texs-mac-pro sshd[437]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:43 mr-texs-mac-pro sshd[439]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:45 mr-texs-mac-pro sshd[441]: Invalid user ali from 218.107.139.2
Mar 2 19:03:47 mr-texs-mac-pro sshd[443]: Invalid user ali from 218.107.139.2
Mar 2 19:03:49 mr-texs-mac-pro sshd[445]: Invalid user ali from 218.107.139.2
Mar 2 19:03:51 mr-texs-mac-pro sshd[447]: Invalid user alice from 218.107.139.2
Mar 2 19:03:53 mr-texs-mac-pro sshd[449]: Invalid user alice from 218.107.139.2
Mar 2 19:03:55 mr-texs-mac-pro sshd[451]: Invalid user alice from 218.107.139.2
Mar 2 19:03:57 mr-texs-mac-pro sshd[453]: Invalid user allan from 218.107.139.2
Mar 2 19:03:59 mr-texs-mac-pro sshd[455]: Invalid user allan from 218.107.139.2
Mar 2 19:04:01 mr-texs-mac-pro sshd[457]: Invalid user allan from 218.107.139.2
Mar 2 19:04:03 mr-texs-mac-pro sshd[459]: Invalid user andi from 218.107.139.2
Mar 2 19:04:05 mr-texs-mac-pro sshd[461]: Invalid user andi from 218.107.139.2
Mar 2 19:04:07 mr-texs-mac-pro sshd[463]: Invalid user andi from 218.107.139.2
Mar 2 19:04:08 mr-texs-mac-pro sshd[465]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:10 mr-texs-mac-pro sshd[467]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:12 mr-texs-mac-pro sshd[469]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:14 mr-texs-mac-pro sshd[471]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:16 mr-texs-mac-pro sshd[473]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:18 mr-texs-mac-pro sshd[475]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:20 mr-texs-mac-pro sshd[477]: Invalid user angie from 218.107.139.2
Mar 2 19:04:21 mr-texs-mac-pro sshd[479]: Invalid user angie from 218.107.139.2
Mar 2 19:04:23 mr-texs-mac-pro sshd[481]: Invalid user angie from 218.107.139.2
Mar 2 19:04:25 mr-texs-mac-pro sshd[483]: Invalid user angela from 218.107.139.2
Mar 2 19:04:27 mr-texs-mac-pro sshd[485]: Invalid user angela from 218.107.139.2
Mar 2 19:04:29 mr-texs-mac-pro sshd[487]: Invalid user angela from 218.107.139.2
Mar 2 19:04:31 mr-texs-mac-pro sshd[489]: Invalid user anita from 218.107.139.2
Mar 2 19:04:32 mr-texs-mac-pro sshd[491]: Invalid user anita from 218.107.139.2
Mar 2 19:04:34 mr-texs-mac-pro sshd[493]: Invalid user anita from 218.107.139.2
Mar 2 19:04:36 mr-texs-mac-pro sshd[495]: Invalid user anna from 218.107.139.2
Mar 2 19:04:38 mr-texs-mac-pro sshd[497]: Invalid user anna from 218.107.139.2
Mar 2 19:04:40 mr-texs-mac-pro sshd[499]: Invalid user anna from 218.107.139.2
Mar 2 19:04:42 mr-texs-mac-pro sshd[501]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:43 mr-texs-mac-pro sshd[503]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:45 mr-texs-mac-pro sshd[505]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:47 mr-texs-mac-pro sshd[507]: Invalid user aron from 218.107.139.2
Mar 2 19:04:49 mr-texs-mac-pro sshd[509]: Invalid user aron from 218.107.139.2
Mar 2 19:04:51 mr-texs-mac-pro sshd[511]: Invalid user aron from 218.107.139.2
Mar 2 19:04:53 mr-texs-mac-pro sshd[513]: Invalid user austin from 218.107.139.2
Mar 2 19:04:54 mr-texs-mac-pro sshd[515]: Invalid user austin from 218.107.139.2
Mar 2 19:04:56 mr-texs-mac-pro sshd[517]: Invalid user austin from 218.107.139.2
Mar 2 19:04:58 mr-texs-mac-pro sshd[522]: Invalid user magic from 218.107.139.2
Mar 2 19:05:00 mr-texs-mac-pro sshd[525]: Invalid user magic from 218.107.139.2
Mar 2 19:05:01 mr-texs-mac-pro sshd[527]: Invalid user magic from 218.107.139.2
Mar 2 19:05:03 mr-texs-mac-pro sshd[529]: Invalid user bart from 218.107.139.2
Mar 2 19:05:05 mr-texs-mac-pro sshd[531]: Invalid user bart from 218.107.139.2
Mar 2 19:05:07 mr-texs-mac-pro sshd[533]: Invalid user bart from 218.107.139.2
Mar 2 19:05:09 mr-texs-mac-pro sshd[535]: Invalid user ben from 218.107.139.2
Mar 2 19:05:11 mr-texs-mac-pro sshd[537]: Invalid user ben from 218.107.139.2
Mar 2 19:05:13 mr-texs-mac-pro sshd[539]: Invalid user ben from 218.107.139.2
Mar 2 19:05:15 mr-texs-mac-pro sshd[542]: Invalid user beny from 218.107.139.2
Mar 2 19:05:17 mr-texs-mac-pro sshd[544]: Invalid user beny from 218.107.139.2
Mar 2 19:05:18 mr-texs-mac-pro sshd[547]: Invalid user beny from 218.107.139.2
Mar 2 19:05:20 mr-texs-mac-pro sshd[549]: Invalid user bert from 218.107.139.2
Mar 2 19:05:22 mr-texs-mac-pro sshd[551]: Invalid user bert from 218.107.139.2
Mar 2 19:05:24 mr-texs-mac-pro sshd[553]: Invalid user bert from 218.107.139.2
Mar 2 19:05:26 mr-texs-mac-pro sshd[555]: Invalid user bill from 218.107.139.2
Mar 2 19:05:28 mr-texs-mac-pro sshd[557]: Invalid user bill from 218.107.139.2
Mar 2 19:05:29 mr-texs-mac-pro sshd[559]: Invalid user bill from 218.107.139.2
Mar 2 19:05:31 mr-texs-mac-pro sshd[561]: Invalid user bind from 218.107.139.2
Mar 2 19:05:33 mr-texs-mac-pro sshd[563]: Invalid user bind from 218.107.139.2
Mar 2 19:05:35 mr-texs-mac-pro sshd[565]: Invalid user bind from 218.107.139.2
Mar 2 19:05:37 mr-texs-mac-pro sshd[567]: Invalid user bob from 218.107.139.2
Mar 2 19:05:39 mr-texs-mac-pro sshd[569]: Invalid user bob from 218.107.139.2
Mar 2 19:05:40 mr-texs-mac-pro sshd[571]: Invalid user bob from 218.107.139.2
Mar 2 19:05:42 mr-texs-mac-pro sshd[573]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:44 mr-texs-mac-pro sshd[581]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:46 mr-texs-mac-pro sshd[583]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:48 mr-texs-mac-pro sshd[585]: Invalid user bret from 218.107.139.2
Mar 2 19:05:50 mr-texs-mac-pro sshd[587]: Invalid user bret from 218.107.139.2
Mar 2 19:05:52 mr-texs-mac-pro sshd[589]: Invalid user bret from 218.107.139.2
Mar 2 19:05:53 mr-texs-mac-pro sshd[591]: Invalid user brian from 218.107.139.2
Mar 2 19:05:55 mr-texs-mac-pro sshd[594]: Invalid user brian from 218.107.139.2
Mar 2 19:05:57 mr-texs-mac-pro sshd[596]: Invalid user brian from 218.107.139.2
Mar 2 19:05:59 mr-texs-mac-pro sshd[598]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:01 mr-texs-mac-pro sshd[600]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:03 mr-texs-mac-pro sshd[602]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:04 mr-texs-mac-pro sshd[604]: Invalid user carl from 218.107.139.2
Mar 2 19:06:06 mr-texs-mac-pro sshd[606]: Invalid user carl from 218.107.139.2
Mar 2 19:06:08 mr-texs-mac-pro sshd[608]: Invalid user carl from 218.107.139.2
Mar 2 19:06:10 mr-texs-mac-pro sshd[610]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:12 mr-texs-mac-pro sshd[613]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:13 mr-texs-mac-pro sshd[615]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:15 mr-texs-mac-pro sshd[617]: Invalid user clark from 218.107.139.2
Mar 2 19:06:17 mr-texs-mac-pro sshd[620]: Invalid user clark from 218.107.139.2
Mar 2 19:06:19 mr-texs-mac-pro sshd[622]: Invalid user clark from 218.107.139.2
Mar 2 19:06:21 mr-texs-mac-pro sshd[624]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:22 mr-texs-mac-pro sshd[626]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:24 mr-texs-mac-pro sshd[628]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:26 mr-texs-mac-pro sshd[630]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:29 mr-texs-mac-pro sshd[632]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:31 mr-texs-mac-pro sshd[634]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:32 mr-texs-mac-pro sshd[636]: Invalid user craig from 218.107.139.2
Mar 2 19:06:34 mr-texs-mac-pro sshd[642]: Invalid user craig from 218.107.139.2
Mar 2 19:06:36 mr-texs-mac-pro sshd[644]: Invalid user craig from 218.107.139.2
Mar 2 19:06:38 mr-texs-mac-pro sshd[647]: Invalid user daniel from 218.107.139.2
Mar 2 19:06:40 mr-texs-mac-pro sshd[661]: Invalid user daniel from 218.107.139.2
Mar 2 19:06:42 mr-texs-mac-pro sshd[664]: Invalid user daniel from 218.107.139.2

I haven’t looked into who these people are, or if they are just a bot, or what, but, it is interesting to see this happen. If you run a Mac, I recommend Little Snitch, its $30, and well worth it. If you are less geeky than me, you may find it a little irritating initially, but, once you have it setup, it will be unobtrusive, but, will really help you to know what’s going on with your computer. Thinking about it, I wonder how often this happened on my Linux box, which preceded the mac, and I just didn’t realize it. I am curious if the linux box had been blocking SSH attempts after a set number when this sort of thing had happened, or if it hadn’t happened. Which makes me also wonder why the Mac didn’t at least ignore ssh attempts from that ip after 5 separate failed attempts. With the only real configuration being on/off, and User Access List for SSH, I would like to think that Apple would do some more intelligent intrusion prevention under the hood, but, maybe that’s just wishful thinking. Maybe the simpler is easier school of thought transcends the interface and persists in the underlying code as well.

Either way, SSH is off for now, and will remain that way until I can find a better way of managing it. One of the things that I really liked with my old Linux box was that I had ssh on, but, vnc was disabled, even though I always ran it through an ssh tunnel, I would run a script on connecting that enabled the vnc daemon, and then my connection would work, and before killing the tunnel, I would run the script again, which would kill the daemon. I wonder if I could set some sort of logic in motion where something like that could be done with SSH. Like I text message my toaster, and have it send an X11 packet through the electrical system to alert my computer to enable the ssh service. Obviously this is just theory, my toaster isn’t on a 3G network right now, because I really have no need for an extra bill for it, but, maybe if that is a more secure way of doing things…

Back to my Chinese friend, I found this online (http://www.tatsukichi.gr.jp/):

The Criminal 218.107.139.2 in the Criminal Beijing Province China Unicom network (min Co. Ltd., Beijing, China联合Course Center Hack communication) in the Criminal China Unicom (联通China) (CN) (2010.2.10)
Malicious and huge ssh brute force attack (6 login attempts) focusing on the root password only.
This is the 8th attack by the Criminal 218.107.139.2 since Feb 8 2010, Feb 7 2010 (twice), Feb 3 2010, Dec 25 2009, 11 Dec 2009 and Dec 7 2009.
Add 218.104.0.0/14 and 218.108.0.0/15 to the permanent block list.

My Japanese is sort of rusty, so the translation of that page doesn’t make much sense to me, but, it appears that is a SORBS (Spam and Open Relay Blocking System) list. And it looks like in the last 3 months, there have been multiple attacks originating from that ip address, and apparently the Chinese telecommunications company has no desire to do anything about it, so they recommend permanently blocking all traffic coming from that ISP. I think that the scorched earth policy is pretty rough, but, in all honesty, I don’t really see a reason not to.

While it has fallen off the list, it was at http://sysdeny.net/bf.txt on Feb 15, 2010 08:31:38 GMT according to Google’s Cache.

http://www.sidata.com.tr/cmn/pubservices/offensive_details.html?id=574625 is another page that details how they are brute force attacking ssh servers.

Thats enough dealing with it for tonight, but, tomorrow is another day.