On Mon, 2005-10-03 at 14:00 -0700, Jared Hall wrote: > I took care of it all last night a couple of minutes after I posted. > Here's what I did. > > I looked at my logs and found that there was no successful root login. > the reason netstat was showing another root connection from the > mentioned ip is that the script kiddie was rapidly connecting to my > sshd service and trying to crack root, and a whole bunch of > nonexistent users. This machine only has two accounts on it, root, > and my own. Well, just to let you know, I have a machine, that since July 27, 2004 of last year (when these SSH Brute force attempts just started), I have gotten over 1 million attempts at at root, disregarding the butt-load millions of other user attempts from a varied and wide range of IP Addresses. I would guess I average quite a few hits because one of my vhosts on the machine is a wiki and is known to have problems from time to time. The only thing ever happeneing, is people downloading a BOT or index page to get the bot... But then, it always seems to never work. Network conversation aren't allowed on anything but the ports I allow for that host. Those ports are always in use... even IF the service is down. Its a shame people don't really know how or why weak passwords and no key authentication required is a bad idea. Lately, I have been requiring key-auth just to get a Login prompt, which then use a login and password challenge scheme, once that is successful, the Login and the key have to matchup as well. IOW, not only do you have to have the right Key, but you have to have the right lock to put it into, even if it does fit and turn in the wrong lock. -- greg, greg@gregfolkert.net The technology that is Stronger, Better, Faster: Linux Use Debian GNU/Linux, its a bazaar thing.
Attachment:
signature.asc
Description: This is a digitally signed message part