Hi,
wäre nicht schlecht, wenn Du Dein Programm universell machen könntest. Dann kann man alles blocken.
Hab mal in meinem Log nachgesehen und musste leider feststellen, dass beim mir auch die Einbruchversuche von IP 222.216.28.224 über SSH durchgeführt werden. Es sieht sehr unbedarft aus, da alle Ports zufällig oder teilsystematisch durchprobiert werden.
Code:
Sep 27 08:15:12 dropbear[6527]: exit before auth: Disconnect received
Sep 27 08:15:13 dropbear[6528]: Child connection from ::ffff:222.216.28.224:8322
Sep 27 08:15:15 dropbear[6528]: login attempt for nonexistent user from ::ffff:222.216.28.224:8322
Sep 27 08:15:16 dropbear[6528]: exit before auth: Disconnect received
Sep 27 08:15:17 dropbear[6529]: Child connection from ::ffff:222.216.28.224:8911
Sep 27 08:15:19 dropbear[6529]: login attempt for nonexistent user from ::ffff:222.216.28.224:8911
Sep 27 08:15:20 dropbear[6529]: exit before auth: Disconnect received
Sep 27 08:15:21 dropbear[6530]: Child connection from ::ffff:222.216.28.224:9505
Sep 27 08:15:23 dropbear[6530]: login attempt for nonexistent user from ::ffff:222.216.28.224:9505
Sep 27 08:15:24 dropbear[6530]: exit before auth: Disconnect received
Sep 27 08:15:25 dropbear[6531]: Child connection from ::ffff:222.216.28.224:9750
Sep 27 08:15:27 dropbear[6531]: login attempt for nonexistent user from ::ffff:222.216.28.224:9750
Sep 27 08:15:28 dropbear[6531]: exit before auth: Disconnect received
Sep 27 08:15:29 dropbear[6532]: Child connection from ::ffff:222.216.28.224:10340
Sep 27 08:15:31 dropbear[6532]: login attempt for nonexistent user from ::ffff:222.216.28.224:10340
Sep 27 08:15:32 dropbear[6532]: exit before auth: Disconnect received
Sep 27 08:15:33 dropbear[6533]: Child connection from ::ffff:222.216.28.224:10888
Sep 27 08:15:35 dropbear[6533]: login attempt for nonexistent user from ::ffff:222.216.28.224:10888
Sep 27 08:15:36 dropbear[6533]: exit before auth: Disconnect received
Sep 27 08:15:36 dropbear[6534]: Child connection from ::ffff:222.216.28.224:11482
Sep 27 08:15:39 dropbear[6534]: login attempt for nonexistent user from ::ffff:222.216.28.224:11482
Sep 27 08:15:40 dropbear[6534]: exit before auth: Disconnect received
Sep 27 08:15:40 dropbear[6535]: Child connection from ::ffff:222.216.28.224:12050
Sep 27 08:15:43 dropbear[6535]: login attempt for nonexistent user from ::ffff:222.216.28.224:12050
Sep 27 08:15:44 dropbear[6535]: exit before auth: Disconnect received
Sep 27 08:15:44 dropbear[6536]: Child connection from ::ffff:222.216.28.224:12319
Ich hab den bzw. die Rechner mal über traceroute rückverfolgt. Dabei kam heraus, dass der Rechner in China steht.
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Dokumente und Einstellungen\Norbert>ping 222.216.28.224
Ping wird ausgeführt für 222.216.28.224 mit 32 Bytes Daten:
Antwort von 222.216.28.224: Bytes=32 Zeit=355ms TTL=44
Antwort von 222.216.28.224: Bytes=32 Zeit=372ms TTL=42
Antwort von 222.216.28.224: Bytes=32 Zeit=394ms TTL=42
Antwort von 222.216.28.224: Bytes=32 Zeit=417ms TTL=44
Ping-Statistik für 222.216.28.224:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 355ms, Maximum = 417ms, Mittelwert = 384ms
C:\Dokumente und Einstellungen\Norbert>tracert 222.216.28.224
Routenverfolgung zu 222.216.28.224 über maximal 30 Abschnitte
1 91 ms 100 ms 7 ms fritz.fonwlan.box [192.168.1.251]
2 112 ms 100 ms 101 ms rdsl-dsdf-de01.nw.mediaways.net [213.20.58.193]
3 121 ms 100 ms 203 ms xmwc-dsdf-de01-chan-18.nw.mediaways.net [195.71.
242.114]
4 111 ms 203 ms 102 ms Ge6-1-0-0-grtfraix1.red.telefonica-wholesale.net
.9.16.84.in-addr.arpa [84.16.9.101]
5 115 ms 100 ms 101 ms GE7-0-0-0-grtfraix3.red.telefonica-wholesale.net
[213.140.36.10]
6 118 ms 203 ms 100 ms 202.97.73.13
7 427 ms 408 ms 407 ms 202.97.52.105
8 420 ms 408 ms 409 ms 202.97.52.89
9 423 ms 407 ms 409 ms 202.97.60.205
10 427 ms 409 ms 408 ms 202.97.34.13
11 424 ms 408 ms 408 ms 202.97.40.226
12 415 ms 368 ms 448 ms 218.65.137.6
13 362 ms 407 ms 408 ms 218.65.137.22
14 422 ms 408 ms 409 ms 222.216.5.130
15 427 ms 408 ms 511 ms 222.216.28.224
Ablaufverfolgung beendet.
Eine Anfrage beim NIC ergab folgenden Betreiber für dieses Netz:
Code:
Request: 222.216.28.224
connected to whois.arin.net [192.149.252.44:43] ...
connected to whois.apnic.net [202.12.29.13:43] ...
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 222.216.0.0 - 222.218.255.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: CR766-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GX
mnt-routes: MAINT-CHINANET-GX
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20040324
source: APNIC
role: CHINANET GUANGXI
address: No.35,Minzhu Road,Nanning 530015
country: CN
phone: +86-771-2815987
fax-no: +86-771-2839278
e-mail: hostmaster@gx163.net
trouble: send spam reports to hostmaster@gx163.net
trouble: send abuse reports to hostmaster@gx163.net
trouble: times in GMT+8
admin-c: CR76-AP
tech-c: BD37-AP
nic-hdl: CR766-AP
remarks: http://www.gx.cninfo.net
notify: hostmaster@gx163.net
mnt-by: MAINT-CHINANET-GX
changed: hostmaster@gx163.net 20021024
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
Wir haben es also mit einer gelben Invasion zu tun. Teilweise kommen auch Einbruchversuche aus Japan. Vermutlich sind diese Rechner von Chinesen gehackt worden und sniffen von dort aus.
Bin daher also auch an einer guten Lösung interessiert.
Norbert