[gentoo-user] Curious pattern in log files from ssh...

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Steve <Gentoo_sjh@shic.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Curious pattern in log files from ssh...
Date: Wed, 03 Dec 2008 20:02:43 +0000	[thread overview]
Message-ID: <4936E5E3.1040606@shic.co.uk> (raw)

I've recently discovered a curious pattern emerging in my system log
with failed login attempts via ssh.

Previously, I noticed dictionary attacks launched - which were easy to
detect... and I've a process to block the IP address of any host that
repeatedly fails to authenticate.

What I see now is quite different... I'm seeing a dictionary attack
originating from a wide range of IP addresses - testing user-names in
sequence... it has been in progress since 22nd November 2008 and has
tried 7195 user names in alphabetical order from 521 distinct hosts -
with no successive two attempts from the same host.

I'm not particularly concerned - since I'm confident that all my users
have strong passwords... but it strikes me that this data identifies a
bot-net that is clearly malicious attempting to break passwords.

Sure, I could use IPtables to block all these bad ports... or... I could
disable password authentication entirely... but I keep thinking that
there has to be something better I can do... any suggestions?  Is there
a simple way to integrate a block-list of known-compromised hosts into
IPtables - rather like my postfix is configured to drop connections from
known spam sources from the sbl-xbl.spamhaus.org DNS block list, for
example.

Break in attempts today (attempted username/IP address):
--
huck 190.60.41.82
huckleberry 81.196.122.2
huckleberry 58.39.145.213
huckleberry 60.230.184.143
hue 58.196.4.2
hue 83.228.92.228
huela 193.41.235.225
huela 193.41.235.225
huey 201.21.216.198
huey 81.149.101.27
hugh 200.123.174.145
hugh 83.228.92.228
hugh 212.46.24.146
hugo 195.234.169.138
hugo 193.86.111.6
hugo 201.224.199.201
hume 69.217.30.214
hume 80.118.132.88
hummer 71.166.159.177
hummer 200.126.119.91
hummer 61.4.210.33
humphrey 80.34.55.88
humphrey 213.163.19.158
humvee 85.222.53.48
humvee 80.24.4.23
hung 61.47.31.130
hung 70.46.140.187
hunter 67.40.86.204
hunter 83.228.92.228
hunter 200.60.156.90
huong 207.250.220.196
huong 125.63.77.3
huong 200.62.142.212
huslu 219.93.187.38
huslu 121.223.228.249
huslu 200.29.135.50
hussein 200.60.156.90
hussein 200.6.220.46
hussein 125.63.77.3
huy 60.191.111.234
huy 200.79.25.39
huyen 213.136.105.130
huyen 190.144.61.58
huyen 121.33.199.37
hy 121.33.199.37
hy 90.190.96.46
hyacinth 81.196.122.2
hyacinth 189.43.21.244
hyacinth 99.242.205.242
hyman 201.21.216.198
hypatia 218.28.143.246
hypatia 195.234.169.138
iain 200.118.119.48
iain 124.42.124.87
iain 194.224.118.61
ian 189.56.92.42
ian 201.28.119.60
ian 210.187.18.199
ianna 211.154.254.120
ianna 84.242.66.10
ianna 193.41.235.225
ianthe 81.246.26.179
ibtesam 87.30.163.87
ichabod 201.251.61.108
ida 62.61.141.93
ida 80.24.4.23
idalee 85.222.53.48
idalee 190.144.61.58
--

next             reply	other threads:[~2008-12-03 20:02 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-12-03 20:02 Steve [this message]
2008-12-03 20:16 ` [gentoo-user] Re: Curious pattern in log files from ssh Nikos Chantziaras
2008-12-03 20:19   ` Paul Hartman
2008-12-03 20:52     ` Nikos Chantziaras
2008-12-03 20:17 ` [gentoo-user] " Albert Hopkins
2008-12-03 20:18 ` Paul Hartman
2008-12-03 20:49 ` Simon
2008-12-04 11:31   ` Steve
2008-12-05  7:16     ` Mick
2008-12-03 20:54 ` Alan McKinnon
2008-12-03 21:03 ` Dmitry S. Makovey
2008-12-03 21:47   ` Steve
2008-12-03 22:11     ` Dmitry S. Makovey
2008-12-03 22:55       ` Steve
2008-12-03 23:21         ` Paul Hartman
2008-12-03 23:46           ` Dmitry S. Makovey
2008-12-03 23:55           ` Steve
2008-12-04  0:07             ` Dmitry S. Makovey
2008-12-04  0:39               ` Steve
2008-12-04 15:50                 ` Dmitry S. Makovey
2008-12-04 22:44                   ` Adam Carter
2008-12-05  0:15                     ` Dmitry S. Makovey
2008-12-04 23:42                   ` Shawn Haggett
2008-12-03 22:54     ` Adam Carter
2008-12-04 11:24 ` Evgeniy Bushkov
2008-12-04 22:41   ` Adam Carter
2008-12-04 22:53     ` Adam Carter
2008-12-05 15:05     ` Evgeniy Bushkov
2008-12-07  5:52       ` Joshua Murphy
2008-12-04 19:03 ` Christian Franke
2008-12-04 20:22   ` Dmitry S. Makovey
2008-12-04 21:20   ` Alan McKinnon
2008-12-05 11:24     ` Steve

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4936E5E3.1040606@shic.co.uk \
    --to=gentoo_sjh@shic.co.uk \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox