[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH attack

On Mon, 2005-10-03 at 14:00 -0700, Jared Hall wrote:
> I took care of it all last night a couple of minutes after I posted. 
> Here's what I did.
> I looked at my logs and found that there was no successful root login.
>  the reason netstat was showing another root connection from the
> mentioned ip is that the script kiddie was rapidly connecting to my
> sshd service and trying to crack root, and a whole bunch of
> nonexistent users.    This machine only has two accounts on it, root,
> and my own.

Well, just to let you know, I have a machine, that since July 27, 2004
of last year (when these SSH Brute force attempts just started), I have
gotten over 1 million attempts at at root, disregarding the butt-load
millions of other user attempts from a varied and wide range of IP

I would guess I average quite a few hits because one of my vhosts on the
machine is a wiki and is known to have problems from time to time.

The only thing ever happeneing, is people downloading a BOT or index
page to get the bot... But then, it always seems to never work.

Network conversation aren't allowed on anything but the ports I allow
for that host. Those ports are always in use... even IF the service is
down. Its a shame people don't really know how or why weak passwords and
no key authentication required is a bad idea.

Lately, I have been requiring key-auth just to get a Login prompt, which
then use a login and password challenge scheme, once that is successful,
the Login and the key have to matchup as well. IOW, not only do you have
to have the right Key, but you have to have the right lock to put it
into, even if it does fit and turn in the wrong lock.
greg, greg@gregfolkert.net

The technology that is 
Stronger, Better, Faster: Linux

Use Debian GNU/Linux, its a bazaar thing.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: