From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L7yBj-0006LW-Ld for garchives@archives.gentoo.org; Wed, 03 Dec 2008 20:19:12 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 920E4E035D; Wed, 3 Dec 2008 20:18:18 +0000 (UTC) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.186]) by pigeon.gentoo.org (Postfix) with ESMTP id 5E900E038D for ; Wed, 3 Dec 2008 20:18:18 +0000 (UTC) Received: by rn-out-0910.google.com with SMTP id 45so2204035rnw.14 for ; Wed, 03 Dec 2008 12:18:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=q6SifyVI7ARmxpEvzSj0GO+iBFaCmLjqWlVcuSlwfeE=; b=A1QTPMu5qffidR4r/OANrHdKilAVaEd/DBe/vwas6DK6qpMKBqI5r5/toCFETgF7qj dJ1K9RiSrM9LRNlJDO9dBl9p7Fx0hWGN4AHTfskvugnluqcF9COUjN2C2OKld7IR6wfy 06O0UgNnYqPLeAx4HYg9tBMhBmpOu3VBMU55A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=Owtr+9cvZPS4zF5uzkC9Ch/E9yVtf2KYAYUiWki4MCttCyq9hhdXmhuyq7qGZJ/iqO gfuHXBEtw/1qWOtGj7lfqN+0GTcUzCEq+TyN2dzfjnaNs3Jb/YNFsAPgY2Ak5x5SdMow O00Z0uL7mGzusYuR1htS8tdU8Gu+OZofh3LoY= Received: by 10.143.12.20 with SMTP id p20mr5535593wfi.169.1228335497426; Wed, 03 Dec 2008 12:18:17 -0800 (PST) Received: by 10.142.230.6 with HTTP; Wed, 3 Dec 2008 12:18:17 -0800 (PST) Message-ID: <58965d8a0812031218wfdab69ej6e8912404958f054@mail.gmail.com> Date: Wed, 3 Dec 2008 14:18:17 -0600 From: "Paul Hartman" Sender: paul.hartman@gmail.com To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Curious pattern in log files from ssh... In-Reply-To: <4936E5E3.1040606@shic.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4936E5E3.1040606@shic.co.uk> X-Google-Sender-Auth: bdb8ce605bd4c32b X-Archives-Salt: 624943e6-a41f-4d59-913c-c182d4769027 X-Archives-Hash: a1e9177c06821e5477da9b5939a0a4e5 On Wed, Dec 3, 2008 at 2:02 PM, Steve wrote: > I've recently discovered a curious pattern emerging in my system log > with failed login attempts via ssh. > > Previously, I noticed dictionary attacks launched - which were easy to > detect... and I've a process to block the IP address of any host that > repeatedly fails to authenticate. > > What I see now is quite different... I'm seeing a dictionary attack > originating from a wide range of IP addresses - testing user-names in > sequence... it has been in progress since 22nd November 2008 and has > tried 7195 user names in alphabetical order from 521 distinct hosts - > with no successive two attempts from the same host. This has been going on all year, you're lucky if you just started getting it. :) AFAIK nobody has found any specific fingerprint or anything to block it by. The "solution" seems to be: only allow SSH from specific IP addresses, don't use port 22, don't use password auth, use some kind of portknocking, etc. as you already alluded to. If you Google for distributed ssh brute force attacks, there are some fairly detailed articles out there from earlier in the year. Good luck :) Paul