From: Simon <turner25@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Curious pattern in log files from ssh...
Date: Wed, 03 Dec 2008 15:49:46 -0500 [thread overview]
Message-ID: <4936F0EA.7010000@gmail.com> (raw)
In-Reply-To: <4936E5E3.1040606@shic.co.uk>
I noticed the same thing on my host several weeks ago.
I strongly suggest removing root access to your ssh, root is probably being
tried by more than 50% of all login attempts... the other trials are
semi-intelligent random usernames (ie, users that might really well exists, like
'apache' etc... but other usernames which may not like 'albert').
If your username is not part of the list of attempts, then it won't be tried
much, and I once found out that if your password is alphanumeric with lower and
upper cases, the hacker as a worst chance of finding your password in
(26*2+10)^8(chars long) = 62^8 = 2.18e14 steps or 218 millions of millions of
steps. This is assuming they try the correct username each time!
The other thing you should do is place ssh on another port, very high. IIRC,
port numbers are 16bits and can go as high as 65k... you could use 22xxx where
xxx is a random favorite number for example.
Since it is very unlikely that the attacker is targeting you specifically,
changing the port number (and removing root access) will very likely stop the
attack forever. Though, if the attacker did target you, then you will need some
more security tools (intrusion detection, etc...).
Good luck!
Simon
Steve wrote:
> I've recently discovered a curious pattern emerging in my system log
> with failed login attempts via ssh.
>
> Previously, I noticed dictionary attacks launched - which were easy to
> detect... and I've a process to block the IP address of any host that
> repeatedly fails to authenticate.
>
> What I see now is quite different... I'm seeing a dictionary attack
> originating from a wide range of IP addresses - testing user-names in
> sequence... it has been in progress since 22nd November 2008 and has
> tried 7195 user names in alphabetical order from 521 distinct hosts -
> with no successive two attempts from the same host.
>
> I'm not particularly concerned - since I'm confident that all my users
> have strong passwords... but it strikes me that this data identifies a
> bot-net that is clearly malicious attempting to break passwords.
>
> Sure, I could use IPtables to block all these bad ports... or... I could
> disable password authentication entirely... but I keep thinking that
> there has to be something better I can do... any suggestions? Is there
> a simple way to integrate a block-list of known-compromised hosts into
> IPtables - rather like my postfix is configured to drop connections from
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for
> example.
>
> Break in attempts today (attempted username/IP address):
> --
> huck 190.60.41.82
> huckleberry 81.196.122.2
> huckleberry 58.39.145.213
> huckleberry 60.230.184.143
> hue 58.196.4.2
> hue 83.228.92.228
> huela 193.41.235.225
> huela 193.41.235.225
> huey 201.21.216.198
> huey 81.149.101.27
> hugh 200.123.174.145
> hugh 83.228.92.228
> hugh 212.46.24.146
> hugo 195.234.169.138
> hugo 193.86.111.6
> hugo 201.224.199.201
> hume 69.217.30.214
> hume 80.118.132.88
> hummer 71.166.159.177
> hummer 200.126.119.91
> hummer 61.4.210.33
> humphrey 80.34.55.88
> humphrey 213.163.19.158
> humvee 85.222.53.48
> humvee 80.24.4.23
> hung 61.47.31.130
> hung 70.46.140.187
> hunter 67.40.86.204
> hunter 83.228.92.228
> hunter 200.60.156.90
> huong 207.250.220.196
> huong 125.63.77.3
> huong 200.62.142.212
> huslu 219.93.187.38
> huslu 121.223.228.249
> huslu 200.29.135.50
> hussein 200.60.156.90
> hussein 200.6.220.46
> hussein 125.63.77.3
> huy 60.191.111.234
> huy 200.79.25.39
> huyen 213.136.105.130
> huyen 190.144.61.58
> huyen 121.33.199.37
> hy 121.33.199.37
> hy 90.190.96.46
> hyacinth 81.196.122.2
> hyacinth 189.43.21.244
> hyacinth 99.242.205.242
> hyman 201.21.216.198
> hypatia 218.28.143.246
> hypatia 195.234.169.138
> iain 200.118.119.48
> iain 124.42.124.87
> iain 194.224.118.61
> ian 189.56.92.42
> ian 201.28.119.60
> ian 210.187.18.199
> ianna 211.154.254.120
> ianna 84.242.66.10
> ianna 193.41.235.225
> ianthe 81.246.26.179
> ibtesam 87.30.163.87
> ichabod 201.251.61.108
> ida 62.61.141.93
> ida 80.24.4.23
> idalee 85.222.53.48
> idalee 190.144.61.58
> --
>
>
>
next prev parent reply other threads:[~2008-12-04 1:49 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-03 20:02 [gentoo-user] Curious pattern in log files from ssh Steve
2008-12-03 20:16 ` [gentoo-user] " Nikos Chantziaras
2008-12-03 20:19 ` Paul Hartman
2008-12-03 20:52 ` Nikos Chantziaras
2008-12-03 20:17 ` [gentoo-user] " Albert Hopkins
2008-12-03 20:18 ` Paul Hartman
2008-12-03 20:49 ` Simon [this message]
2008-12-04 11:31 ` Steve
2008-12-05 7:16 ` Mick
2008-12-03 20:54 ` Alan McKinnon
2008-12-03 21:03 ` Dmitry S. Makovey
2008-12-03 21:47 ` Steve
2008-12-03 22:11 ` Dmitry S. Makovey
2008-12-03 22:55 ` Steve
2008-12-03 23:21 ` Paul Hartman
2008-12-03 23:46 ` Dmitry S. Makovey
2008-12-03 23:55 ` Steve
2008-12-04 0:07 ` Dmitry S. Makovey
2008-12-04 0:39 ` Steve
2008-12-04 15:50 ` Dmitry S. Makovey
2008-12-04 22:44 ` Adam Carter
2008-12-05 0:15 ` Dmitry S. Makovey
2008-12-04 23:42 ` Shawn Haggett
2008-12-03 22:54 ` Adam Carter
2008-12-04 11:24 ` Evgeniy Bushkov
2008-12-04 22:41 ` Adam Carter
2008-12-04 22:53 ` Adam Carter
2008-12-05 15:05 ` Evgeniy Bushkov
2008-12-07 5:52 ` Joshua Murphy
2008-12-04 19:03 ` Christian Franke
2008-12-04 20:22 ` Dmitry S. Makovey
2008-12-04 21:20 ` Alan McKinnon
2008-12-05 11:24 ` Steve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4936F0EA.7010000@gmail.com \
--to=turner25@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox