+++ date = 2017-12-13T16:00:00+08:00 draft = false tags = ["iptable"] title = "Stupid Script Kid" summary = """ You stupid script kids are too young, too simple, sometimes naive! """ +++ ## Who is the stupid script kid? Hello `42.7.26.49`. Why do you keep scanning my SSH port with weak passwords? Well I have a root password with length 16 containing letters, digits and punctuations so I just let you try. If you are lucky enough, I can ask you for helping me to choose a lottery number! But you are too young, too simple and sometimes naive! I was surprised you had kept scanning for 12 hours. It's totally harmless but spamming my system journal. Now I can't stand you anymore. ## How to stop the scanning? `iptables -A INPUT -s 42.7.26.49 -j DROP`. ## Words to the young script kid {{% alert note %}} Since the kid is from Liaoning, I'll provide Chinese version for him. {{% /alert %}} I feel that you script kids still need to learn a lot. You know well about brute force attacking, but you're still too young. Do you understand? I am experienced and have seen a lot! [Fpcsong](https://github.com/fpcsong) from the School of Cyber Engineering, is much higher than you and you can't even see him! I make easy conversation with him. So you kids still need to improvement your knowledge level, understand or not? 我感觉你们这些脚本孩子还要学习一个。你们非常熟悉暴力的这一套攻击, 你们毕竟还 too young ,民白这意思吧。我是身经百战了,见得多了! 网安院的 [fpcsong](https://github.com/fpcsong),那比你们高到不知哪里去了, 我跟他谈笑风生。所以你们还是要提高自己的姿势水平,识得唔识得啊? You kids have an advantage that your speed is the fastest among all western crackers. But your attacking approach, are all too simple, sometimes naive! I'm sorry. I am talking to you as an ACMer. I am not a cracker but I've seen enough! Hacking must obey the Basic Law like other activities. You guys are naive! I can tell you I am angry. What you are doing is useless. 你们有一个好,全世界跑到什么地方,你们比其它的那些西方攻击者跑得还快。 但是用来用去的方法啊,都 too simple, sometimes naive! 我很抱歉, 我今天是作为一个 ACMer 和你们讲。我不搞网络安全,但是我见得太多了。 在网上搞事情还是要按照基本法! 你们啊, naive ! I am angry 我和你讲,你们这样子是不行的。 ## Use Fail2Ban to stop the kids automatically Fail2Ban parses `/var/log/auth.log` to find the IPs keep trying to login via SSH and use `iptables` to ban them automatically. `sudo apt install fail2ban`, `systemctl enable fail2ban` and `systemctl start fail2ban`. The default configuration can ban the brute force attack on SSH. If you still think the kids are too noisy, modify `/etc/fail2ban/jail.conf` and set `bantime = 233333` to ban them for a longer time. But I suggest you to set `.ssh/authorized_keys` at first so you won't ban yourself.