[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SFTP question

On Thu, 25 Dec 2014 19:47:28 +0200
Danny <mynixmail@gmail.com> wrote:

> I think what is the most disturbing is the fact that it eventually
> happened to me ... :( ... never thought it would ... 
> And truth be told I am guilty at riding the horse bareback with guns
> blazing whenever I setup a server ... not paying much attention to
> security. But alas ... I have learned my lesson ... This incident
> scared the crap out of me ... lol ... :) ...
> > Not surprising.  If you haven't been paying attention to your logs
> > (you should ALWAYS monitor them if you are connected to the
> > internet!), you haven't seen what has probably been going on for a
> > long time.
> Agreed
> > I've seen attacks start within hours of putting a new system on the
> > internet.  I see multiple attacks on my servers every day.
> Makes me wonder how these guys get hold of IP's so quickly ...
> > Attacks seem to have increased in the last few days.
> Which begs the question ... do these guys just shoot from the
> hip? ... or do they have a mandate or something?

I have my Net router send logs of failed connections to a syslog server
(the router has very limited logging space) and I keep an eye on the
previous day's entries. It's just for curiosity: if my router has
stopped it, I'm not bothered about it.

I probably get two or three ssh attempts per hour, and remarkably, even
more telnet attempts. Who still runs telnet servers open to the Net?

There's probably twenty to thirty connection attempts per hour. I'm
afraid I use the 'no added security by obscurity' method of running ssh
on a high port. It may not add security, but it certainly keeps the
logs clean, and so far I've not seen a single connection attempt in
fifteen years.

I may get more connection attempts than most, I've had a fixed IP
address for more than fifteen years, and run a mail server for more
than ten, and the email address on this post is genuine and has been in
use all that time. (About three spams a day get to my email client, I
have a very aggressive mail server which refuses between a hundred and
a thousand bogus emails a day).

But I also monitor a client's router, using the same ISP, with
neither the fixed IP address nor any A record pointing to it ever
having been published anywhere, and it gets about half as many
connection attempts as mine. We have to conclude that there's a lot of
random attempts.


Reply to: