ssh attacks
reclusive monkey
I have all the IPs in my logs, but I am asking whether its worth even
reporting it. What is the general consensus of opinion, is it worth
bothering with? There doesn't seem to be anything untoward going on,
neither do they seem to have suceeded.
Oct 10 23:50:04 www sshd[12054]: Failed password for invalid user
rpcuser from 61.250.85.165 port 42645 ssh2
Oct 10 23:50:08 www sshd[12056]: Failed password for invalid user
rpcuser from 61.250.85.165 port 42746 ssh2
Oct 10 23:50:13 www sshd[12058]: Failed password for invalid user named
from 61.250.85.165 port 42822 ssh2
Oct 10 23:50:18 www sshd[12060]: Failed password for invalid user named
from 61.250.85.165 port 42919 ssh2
Oct 10 23:50:22 www sshd[12062]: Failed password for invalid user test1
from 61.250.85.165 port 43017 ssh2
Oct 10 23:50:27 www sshd[12064]: Failed password for invalid user test2
from 61.250.85.165 port 43104 ssh2
Oct 10 23:50:32 www sshd[12066]: Failed password for invalid user httpd
from 61.250.85.165 port 43210 ssh2
Oct 10 23:50:36 www sshd[12068]: Failed password for invalid user
maggie from 61.250.85.165 port 43289 ssh2
Oct 10 23:50:41 www sshd[12070]: Failed password for invalid user susan
from 61.250.85.165 port 43373 ssh2
Oct 10 23:50:46 www sshd[12072]: Failed password for invalid user lucy
from 61.250.85.165 port 43473 ssh2
Oct 10 23:50:59 www sshd[12074]: Failed password for invalid user cindy
from 61.250.85.165 port 43572 ssh2
Loki Harfagr
> Someone has been making a crude attempt to login to my server via SSH.
> I have all the IPs in my logs, but I am asking whether its worth even
> reporting it. What is the general consensus of opinion, is it worth
> bothering with? There doesn't seem to be anything untoward going on,
> neither do they seem to have suceeded.
>
...
Mmm. The term "crude" is an understatement :-)
If by any chance you don't have some family named maggie|susan|lucy|cindy
it doesn't seem a very deep attack, nor very fast (5 secs mean lag)
so, if it is not a 'social engineered' assault *and* your users passwords
are quite solid you're not in disgrace before a long looong time.
> Oct 10 23:50:36 www sshd[12068]: Failed password for invalid user
> maggie from 61.250.85.165 port 43289 ssh2
> Oct 10 23:50:41 www sshd[12070]: Failed password for invalid user susan
> from 61.250.85.165 port 43373 ssh2
> Oct 10 23:50:46 www sshd[12072]: Failed password for invalid user lucy
> from 61.250.85.165 port 43473 ssh2
> Oct 10 23:50:59 www sshd[12074]: Failed password for invalid user cindy
> from 61.250.85.165 port 43572 ssh2
All in all the look of it is some bot captured a zombie and made it try
some script-kiddy serial, but it doesn't seem to use the average start
(like sys/adm/sysadm/123/adm123/...)
You may enforce your ssh cnx thru config and or iptables rules if you
finf these kind of stuff frequently and in big numbers in your logs, but
sincerely, if you saw what size of these are in any log from corp servers
you wouldn't mind about this !
PS:
Did you try a reverse search, for instance a nmap on 61.250.85.165
at the time it happened ? just in case :-)
+Alan Hicks+
Hash: SHA1
In alt.os.linux.slackware, reclusive monkey dared to utter,
> Someone has been making a crude attempt to login to my server via SSH.
> I have all the IPs in my logs, but I am asking whether its worth even
> reporting it. What is the general consensus of opinion, is it worth
> bothering with? There doesn't seem to be anything untoward going on,
> neither do they seem to have suceeded.
It's a stupid little ssh worm. I have seen it coming and going for
over a year now, but I've never gotten around to setting up a honeypot
to see what it does if it gets access. I wouldn't bother reporting it.
This has been going on for a long time now and anyone concerned about
it has long known what it is.
In short, some script kiddie has a worm that tries to log into any
machine that has ssh listening to the world using a dictionary attack
or something similar. If your passwords are strong enough you've got
nothing to worry about.
- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFDTAd9zLTO1iU1uO4RAg7CAJ9Bh/qQCayc/apygdks088TL1HXIwCfeTsp
uWjrixTvtAp3H08c/OKYRJw=
=r615
-----END PGP SIGNATURE-----
cashmir
> Le Tue, 11 Oct 2005 10:06:26 -0700, reclusive monkey a écrit :
>
>
>
>>Oct 10 23:50:36 www sshd[12068]: Failed password for invalid user
>>maggie from 61.250.85.165 port 43289 ssh2
> Did you try a reverse search, for instance a nmap on 61.250.85.165
> at the time it happened ? just in case :-)
maybe try " ssh 61.250.85.165 " and guess a username and pwd.
( the thing is online now... )
cashmir
reclusive monkey
checked a couple of the IPs, one was in Korea, the other one was
regsitered to a Business in the UK. I was going to email the UK
business address, then I saw it was in Milton Keynes, so I didn't
bother (sorry that will be lost on anyone outside the UK).
I only have a user account for myself on the server, with a "non-word"
eight character password. I've disabled root login in sshd_config for
now, so I am reasonably happy. Knowing the amount of activity doesn't
activate much alarm here is a better judgement than I could give
myself. Thanks for the advice guys.
+Alan Hicks+
Hash: SHA1
In alt.os.linux.slackware, reclusive monkey dared to utter,
> Thanks Alan/Loki, I thought it wasn't anything unduly worrying. I
> checked a couple of the IPs, one was in Korea, the other one was
> regsitered to a Business in the UK.
When these first started popping up I did some forensics and determined
that most of the attacks were coming from old Red Hat servers. I don't
know if that's just because they had easily guessed passwords, or if
some other vulnerability was exploited to allow this attack to begin
from them. I contacted a few of the "attackers" when I figured they
were clueless as to what was going on with mixed responses.
> I only have a user account for myself on the server, with a "non-word"
> eight character password.
That should be good enough. I prefer to use no fewer than 12 myself,
but I'm paranoid like that. :-)
> I've disabled root login in sshd_config for
> now, so I am reasonably happy.
That's a good first step. Won't stop a dedicated attacker, but will at
least slow down most script kiddies trying a dictionary or brute force
attack.
> Knowing the amount of activity doesn't
> activate much alarm here is a better judgement than I could give
> myself. Thanks for the advice guys.
Anytime.
- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFDTB48zLTO1iU1uO4RAschAKC8sWZvyFUwAehOZbHiOM6bzv/E7QCg2dWN
m0oIZBpEixqfXJLhjGlSUew=
=cM/Y
-----END PGP SIGNATURE-----
Chiefy
> Someone has been making a crude attempt to login to my server via SSH.
> I have all the IPs in my logs, but I am asking whether its worth even
> reporting it. What is the general consensus of opinion, is it worth
> bothering with? There doesn't seem to be anything untoward going on,
> neither do they seem to have suceeded.
I was taught to report anything untoward. Absolutely every time.
Probably hasn't helped me one jot, but it passes a quiet moment or two :-)
Joaco
"reclusive monkey" <reclusiv...@gmail.com> wrote:
> Thanks Alan/Loki, I thought it wasn't anything unduly
> worrying. I checked a couple of the IPs, one was in Korea,
> the other one was regsitered to a Business in the UK. I was
> going to email the UK business address, then I saw it was in
> Milton Keynes, so I didn't bother (sorry that will be lost
> on anyone outside the UK).
>
> I only have a user account for myself on the server, with a
> "non-word" eight character password. I've disabled root
Yes, I have been getting more than the usual attacks, both
sshd as well as to my dns servers. Other people are talking
about the increase at various security sites.
You can also configure your sshd to a port other than 22 in
your /etc/ssh/ssh_config file (if you are the only caller).
TonyB
--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / to...@sysdev.org
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers
Karl
Illegal user chiaki from 60.191.29.126
Illegal user hamano from 60.191.29.126
Illegal user miharu from 60.191.29.126
cheers,
Karl
PS. does anyone know a good site about the logs in linux? I'm presuming
though in time the linux sys admin guide will help
Handover Phist
> Someone has been making a crude attempt to login to my server via SSH.
I once wrote a script called 'slapcracker.sh' to extract and report on
these but whatever, it's just a basic attack. It's not even trying more
than one password on each account. Keep your passwords good and life
will be just as good.
--
Q: What goes
Click. "Did I get it?"
Click. "Did I get it?"
Click. "Did I get it?"
Click. "Did I get it?"
A: Stevie Wonder doing the Rubik's Cube.
Shannon Lloyd
Every time?!? I typically used to get upwards of 6000 failed ssh login
attempts on a single machine every day. The solution, of course, was
just to move sshd onto an obscure port so that the scripts wouldn't find
it. If I determined to report all of the ip addresses that tried to get
into my systems, I'd go crazy. To the OP, I would just reiterate what
others have already said, ie make sure your passwords are decent, don't
let root login via ssh, move ssh to another port if that's an option for
you, and possibly implement AllowGroups or AllowUsers in sshd_config to
restrict ssh access to specified users. Reporting failed login attempts
(even if there are hundreds of them per ip) won't really achieve
anything, other than waste your time. Most of the attempts are probably
just scripts on zombie boxes anyway, and in the time it takes you to
report one ip address, you'll probably get a hundred more failed
attempts from other ip addresses in your logs.
Shannon
Faux_Pseudo
Hash: SHA1
_.-In alt.os.linux.slackware, Handover Phist wrote the following -._
> reclusive monkey blithely blithered
>> Someone has been making a crude attempt to login to my server via SSH.
>
> I once wrote a script called 'slapcracker.sh' to extract and report on
> these but whatever, it's just a basic attack. It's not even trying more
> than one password on each account. Keep your passwords good and life
> will be just as good.
And make sure you never change the line in /etc/securetty that look
like these:
# These are some remote ttys, and uncommenting them might be less than fully secure:
#ttyS0
#ttyS1
#ttyS2
#ttyS3
#ttyp0
#ttyp1
#ttyp2
#ttyp3
#ttyp4
#ttyp5
#ttyp6
#ttyp7
#pts/0
#pts/1
#pts/2
#pts/3
#pts/4
#pts/5
#pts/6
#pts/7
- --
.-')) fauxascii.com ('-. | It's a damn poor mind that
' ..- .:" ) ( ":. -.. ' | can only think of one way to
((,,_;'.;' UIN=66618055 ';. ';_,,)) | spell a word.
((_.YIM=Faux_Pseudo :._)) | - Andrew Jackson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDTJEaSJec2PH9pbURAgfEAJsGK+7MC1DpMqCBYwXi4kNJZvzQSQCdFSTa
tj3HpBcSVDdDIo6QWjhod7E=
=RUbz
-----END PGP SIGNATURE-----
Alexander Antonakakis
attempts. It is called BlockHosts and can be found on
http://freshmeat.net/redir/blockhosts/58025/url_homepage/blockhosts
Give it a try.
Sylvain Robitaille
> I typically used to get upwards of 6000 failed ssh login attempts on
> a single machine every day. The solution, of course, was just to move
> sshd onto an obscure port so that the scripts wouldn't find it. If I
> determined to report all of the ip addresses that tried to get into
> my systems, I'd go crazy. ... Reporting failed login attempts (even
> if there are hundreds of them per ip) won't really achieve anything,
> other than waste your time. Most of the attempts are probably just
> scripts on zombie boxes anyway, and in the time it takes you to report
> one ip address, you'll probably get a hundred more failed attempts
> from other ip addresses in your logs.
At some point (last year? year before?) I was seeing a lot (hundreds
per day) of attempted connections to a couple of systems I manage at
work from IP addresses belonging to a local (though relatively large)
commercial ISP. The systems would actually refuse (and log to a central
logging server, where it was easy to gather log extracts from multiple
systems at once) the connections, thanks to TCP_Wrappers, but the sheer
number of them from a small number of source addresses all belonging to
the same ISP made it worth reporting.
On a regular basis, usually every few days, sometimes at weekly
intervals, I would gather the logs into a report, which I would submit
to the ISP using their web interface (note that it's more work to do
that than it is to fire off an email to abuse@, but the email approach
only caused an autoreply that requested complainants to use their nifty
web-based submission form). Each time I would receive acknowledgement
of my submission, and most times a few days later I would receive
notification that their user had been warned and that further activity
of the same sort "may cause the account to be suspended."
This carried on for months, without my knowing whether any accounts ever
got suspended, and after a while I started to wonder if any of their
users had even been notified that the activity had been reported. It
just didn't seem likely to me that a large number of their users would
have suddenly started targetting our systems, but only from a single
source at any given time.
I wrote a perl script to watch my log file. For every refused
connection from an IP address in this ISP's address block, the script
was to submit a completed form to the ISP's web-based abuse reporting
system. I let the script loose on the logs I had collected so far that
same day, and then set it to watch the log in real time (restarting it
every night when the log is rotated).
The very next day, I received a telephone call from someone claiming
to work for this ISP. He explained that he had received 380 abuse
reports from me the previous day and wanted to know what the problem was.
I checked my logs, corrected him that I had sent 384 reports the previous
day, and that the "problem" was that my systems were clearly being
targeted by one or more of his users, which I believed to be contrary
to their acceptable usage policy.
I let him know that my attempts at submitting consolidated logs for the
previous months had clearly been ineffective, therefore I had arranged to
now submit a report (in near-real-time) every time his users targetted
my systems, and that If he wanted the reports to stop, he would need to
address the problem at the source.
The following day, I received 380 (not 384!) separate notifications that
the ISP's user(s) had been warned and that further activity "may" lead
to suspension of the account(s). There were a small number of repeated
attempts afterwards, nowhere nearly as frequently as they had been in
the months prior, and they ultimately trickled off. I don't recall the
last time my script submitted a report to this ISP, but it still runs,
watching the logs from the central logging server.
Submitting abuse reports does (sometimes) work, though it can make a
difference if you know how to be "persuasive". :-)
--
----------------------------------------------------------------------
Sylvain Robitaille s...@alcor.concordia.ca
Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
Keith Keller
[very amusing story snipped]
> Submitting abuse reports does (sometimes) work, though it can make a
> difference if you know how to be "persuasive". :-)
s/persuasive/abusive/;
Not that the ISP didn't deserve the abuse, of course. :)
--keith
--
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information
reclusive monkey
dust off that Perl that's been sitting on my shelf (I need a task to
learn anything...).
I once went for a job interview at the UK's first "free" ISP (when it
was just starting out). Their network manager was a friend of a friend,
and we got on well, but his lack of knowledge about what he was doing
(self confessed) was *frightening*. At least he was quite open about
the fact that he was "blagging it"...
Paul Kinsler
> > Did you try a reverse search, for instance a nmap on 61.250.85.165
> > at the time it happened ? just in case :-)
> maybe try " ssh 61.250.85.165 " and guess a username and pwd.
> ( the thing is online now... )
I wouldn't do that...
http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
--
#Paul
Dominik L. Borkowski
> Someone has been making a crude attempt to login to my server via SSH.
> I have all the IPs in my logs, but I am asking whether its worth even
> reporting it. What is the general consensus of opinion, is it worth
> bothering with? There doesn't seem to be anything untoward going on,
> neither do they seem to have suceeded.
As others have stated, those are bots. Submitting logs is often worthless,
I've learned that 9 out of 10 'other sysadmins' do not care. In fact, if
they would care, more often than not they prevent that from happening in
the first place.
Now, regarding how to deal with this annoyance. Try this, and I assure you,
it works:
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
--update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
--set -j ACCEPT
[watch for the split lines, there are only two real lines there. adjust eth0
accordingly].
give it a whirl, you'd be surprised.
cashmir
errm...yes, a rather unthoughtfull remark of me.
it's a bad advice in any case.
but according to that story anyone can be fined, even without any proof
of criminal intent.
i wonder if such could happen when just making a typo ( wrong ip )
and repeating the request several times before noticing.
cashmir
Loki Harfagr
Did this sue happened in a coffe-shop or a madhouse ?
Some folks are sawing the branch they're on using freshly shot feet.
Is the whole world getting kook full time or is it just a sequel of
10 years of Windoxs that the admins prefer to protect their servers by
law instead of admin work !?
I think if this is to extend i'll consider changing job for something
a bit more calm and balanced, fireman, bodyguard, bungee-tester.
Robby Workman
> Now, regarding how to deal with this annoyance. Try this, and I assure you,
> it works:
>
> iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
> --update --seconds 15 -j DROP
> iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
> --set -j ACCEPT
>
> [watch for the split lines, there are only two real lines there. adjust eth0
> accordingly].
>
> give it a whirl, you'd be surprised.
That's effective for sure, and quite possibly better than what I've
been using:
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m state
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -m limit
--limit 3/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j REJECT
--
Jorey Bump
news:diirm1$bup$1...@solaris.cc.vt.edu:
I added these rules to some servers when Dominik provided them a few days
ago. He's right. They work great and are highly recommended over any other
solution I've seen. It's basically a set & forget operation, though you may
need to alter the interface(s) to match your setup.
Stuart Winter
> Now, regarding how to deal with this annoyance. Try this, and I assure you,
> it works:
>
> iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
> --update --seconds 15 -j DROP
> iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
> --set -j ACCEPT
It works but it also prevents you from being able to login legitimately
Example:
I login, get my shell.
do something quickly, logout
Remember that I forgot to do something, hit the up arrow, press return
My connections are dropped and I have to wait.
Sylvain Robitaille
>> Submitting abuse reports does (sometimes) work, though it can make a
>> difference if you know how to be "persuasive". :-)
>
> s/persuasive/abusive/;
I would argue that I wasn't being abusive at all. They insist that
complaints be submitted via their web interface, which I did, and since
they didn't appear to address complaints that consolidated log entries on
an at least daily basis, I decided to complain about individual incidents,
which they ultimately addressed. I was simply adapting to what appeared
to work best at the time. :-)
Dominik L. Borkowski
> I login, get my shell.
> do something quickly, logout
> Remember that I forgot to do something, hit the up arrow, press return
> My connections are dropped and I have to wait.
You can lower the timeout. It's still a bit better than having to wait,
because your machine is busy with sshd trying to authenticate hundreds of
illegitimate login attempts from those bots.
Honestly, that's a small price to pay, and it's a rare occurrence. I have
yet received a single complaint from any of my users. In fact, the ones
that were complaining about similar problems at home, with much slower
machines, they're now happy with this basic solution.
Then again, compare this to the other solutions:
a) analysing logs and blocking based on that. that's not quite real time,
and you still run into the possibility of blocking yourself
b) run ssh on a different port. well, that works for now, who knows when the
kiddies will be portscanning and checking for service banners. in addition,
it is inconvenient for some people 'so from now on, you will have to select
this option and specify that port. yeah, for each client that's different.
yes, we did it just to annoy you'.
c) if you use pam+ssh, there is a pam module to help with too many failed
login attempts. of course, this is slack, so no pam.
it's all about balance...
Sylvain Robitaille
> I login, get my shell.
> do something quickly, logout
> Remember that I forgot to do something, hit the up arrow, press return
> My connections are dropped and I have to wait.
Shorten the timeout in the first iptables command? Would that reduce
the effectiveness of these filtering rules by very much?
Loki Harfagr
Sure, but if you need less than 15 seconds to type your password
it just shows your password is not good enough ;-)
Grant
>Le Wed, 12 Oct 2005 10:09:25 +0100, Paul Kinsler a écrit :
>
>> cashmir <cas...@xs4all.nl> wrote:
>>> > Did you try a reverse search, for instance a nmap on 61.250.85.165
>>> > at the time it happened ? just in case :-)
>>
>>> maybe try " ssh 61.250.85.165 " and guess a username and pwd.
>>> ( the thing is online now... )
>>
>> I wouldn't do that...
>>
>> http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
>
> Did this sue happened in a coffe-shop or a madhouse ?
Is crazy, no?
> Some folks are sawing the branch they're on using freshly shot feet.
> Is the whole world getting kook full time or is it just a sequel of
>10 years of Windoxs that the admins prefer to protect their servers by
>law instead of admin work !?
Yup, first reaction, the ought to be a law against that, the CLI
is next target, we got to drag'n'drool computers like comic books.
> I think if this is to extend i'll consider changing job for something
>a bit more calm and balanced, fireman, bodyguard, bungee-tester.
Condom burst tester?
Grant.
Grant
>Keith Keller wrote:
>> s/persuasive/abusive/;
>
>I would argue that I wasn't being abusive at all. They insist that
>complaints be submitted via their web interface, which I did, and since
>they didn't appear to address complaints that consolidated log entries on
>an at least daily basis, I decided to complain about individual incidents,
>which they ultimately addressed. I was simply adapting to what appeared
>to work best at the time. :-)
No fair, if you pit a simple script against a windoze-weenie admin? :o)
Sylvain Robitaille
> No fair, if you pit a simple script against a windoze-weenie admin? :o)
:-) It can only be called unfair or cheating or abusive if I played by
some other rules than they had set, which I don't believe I did. :-)
Man you guys are _tough_ judges! ;-)
The Eighth Doctor
says...
I'm in the US, but I happen to be a Doctor Who fan (hint!), and a Monty Python
fan. But the reference to Milton Keynes is something I am interested in.
And yes, I've been seeing my share of these idiotic attacks. None since my latest
box went live however.
--
Gregg drwho8 atsign att dot net
"This signature prefers his Homer in the original Greek."
Realto Margarino
> Someone has been making a crude attempt to login to my server via
> SSH.
That would almost certainly be Coward Hicks.
> I have all the IPs in my logs, but I am asking whether its worth
> even reporting it. What is the general consensus of opinion, is it
> worth bothering with? There doesn't seem to be anything untoward
> going on, neither do they seem to have suceeded.
Hicks wouldn't know what to do even if he was successful in breaking
in. He would probably type "format c:" to see if he could fuck you
up. He is a moron and a turd and a hillbilly and he has been asked,
more than once, to stop posting to this ng.
cordially, as always,
rm
Realto Margarino
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> In alt.os.linux.slackware, reclusive monkey dared to utter,
> > Someone has been making a crude attempt to login to my server via SSH.
> > I have all the IPs in my logs, but I am asking whether its worth even
> > reporting it. What is the general consensus of opinion, is it worth
> > bothering with? There doesn't seem to be anything untoward going on,
> > neither do they seem to have suceeded.
> It's a stupid little ssh worm.
Time to get ready for the impalement, doofus. You will find out
that being impaled is far from being attacked by a "stupid little
ssh worm."
You are going to find out what it is like to move to the next
reality. You are asked to bugger off on out of here, you gutless
little stooge.
cordially, as always,
rm
Realto Margarino
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> In alt.os.linux.slackware, reclusive monkey dared to utter,
> > Thanks Alan/Loki, I thought it wasn't anything unduly worrying. I
> > checked a couple of the IPs, one was in Korea, the other one was
> > regsitered to a Business in the UK.
> When these first started popping up I did some forensics and determined
> that most of the attacks were coming from old Red Hat servers.
Fuck off, Hicks, you gutless little stooge. You have nothing
significant to add on any topic. You are a gutless little stooge
who s about to experience, first hand, the joys of impalement.
We will watch.
cordially, even to pure trash,
rm
Mikhail Zotov
> Someone has been making a crude attempt to login to my server via SSH.
> I have all the IPs in my logs, but I am asking whether its worth even
> reporting it. What is the general consensus of opinion, is it worth
> bothering with? There doesn't seem to be anything untoward going on,
> neither do they seem to have suceeded.
I know Dominik Borkowski has already suggested a nice solution.
Still, there is a project aimed to address exactly your problem:
http://www.csc.liv.ac.uk/~greg/sshdfilter/
--
Mikhail
Theodore Heise
Sylvain Robitaille <s...@alcor.concordia.ca> wrote:
>
>:-) It can only be called unfair or cheating or abusive if I played by
> some other rules than they had set, which I don't believe I did. :-)
Well, I don't think it was abusive in any way. Changing the
reporting method from consolidated to "per attack" could
potentially be considered escalation, but it coincided with the
change in collection method and was consistent with their
guidelines (as you pointed out).
Loved the story, by the way.
To the OP: I saw the same activity on my 10.2 box within a day of
install, and implemented iptables blocking of access to ssh from
all but a few known IPs. I also block it with tcpwrappers.
--
Theodore (Ted) Heise <th...@heise.nu> Bloomington, IN, USA
Josh
ssh hackers and
add an iptable firewall permanently banning them
from your system. It's a start.
http://freewebspace.planetdns.net/banssh.tar
"Mikhail Zotov" <mux...@lenta.ru> wrote in message
news:1129288529.4...@g49g2000cwa.googlegroups.com...
paul.nuffer
as solutions. What do you all think of just eliminating passwords
altogether? I've disallowed password authentication after getting each
user to upload their public key to their appropriate authorized_keys
files.
I still get the attack attempts, but since no password authentication
is accepted at all, the user is denied when no private key is found to
match their non-existent account. I'm going to test out the iptables
rules mentioned, but would you consider public key authentication to be
a sound security move? If it's not, could you let me know why not?
Thanks,
Paul
reclusive monkey
I did actually have this set up on the web server. The hard drive is on
its way out (I was running a Counter-Strike server on there; its a
"fun" task keeping it ticking over), so I had reinstalled recently, and
just haven't got round to sorting out the keys again. As there is only
me logging into the server, yes keys is a very sensible option. I am
holding off till Xmas to do a few things on the LAN, authorized_keys
might just have to jump up that list!
Faux_Pseudo
Hash: SHA1
_.-In alt.os.linux.slackware, Josh wrote the following -._
> Try this script. It will compile a list from your /var/log/messages of those
> ssh hackers and
> add an iptable firewall permanently banning them
> from your system. It's a start.
>
> http://freewebspace.planetdns.net/banssh.tar
Don't top post
Just some of the many errors reported by runing the script:
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.10: Unknown arg `-s'
Try `iptables -h' or 'iptables --help' for more information.
./firewall: line 121: -j: command not found
- --
.-')) fauxascii.com ('-. | It's a damn poor mind that
' ..- .:" ) ( ":. -.. ' | can only think of one way to
((,,_;'.;' UIN=66618055 ';. ';_,,)) | spell a word.
((_.YIM=Faux_Pseudo :._)) | - Andrew Jackson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDWS3JSJec2PH9pbURAgZLAJ9U8IA94LH+qoUJvQDbjZzCyEN+JwCfUITW
CkmEQ6muXbnken3BQ6D8nDM=
=AQu2
-----END PGP SIGNATURE-----