| 1 |
I noticed the same thing on my host several weeks ago. |
| 2 |
|
| 3 |
I strongly suggest removing root access to your ssh, root is probably being |
| 4 |
tried by more than 50% of all login attempts... the other trials are |
| 5 |
semi-intelligent random usernames (ie, users that might really well exists, like |
| 6 |
'apache' etc... but other usernames which may not like 'albert'). |
| 7 |
If your username is not part of the list of attempts, then it won't be tried |
| 8 |
much, and I once found out that if your password is alphanumeric with lower and |
| 9 |
upper cases, the hacker as a worst chance of finding your password in |
| 10 |
(26*2+10)^8(chars long) = 62^8 = 2.18e14 steps or 218 millions of millions of |
| 11 |
steps. This is assuming they try the correct username each time! |
| 12 |
|
| 13 |
The other thing you should do is place ssh on another port, very high. IIRC, |
| 14 |
port numbers are 16bits and can go as high as 65k... you could use 22xxx where |
| 15 |
xxx is a random favorite number for example. |
| 16 |
|
| 17 |
Since it is very unlikely that the attacker is targeting you specifically, |
| 18 |
changing the port number (and removing root access) will very likely stop the |
| 19 |
attack forever. Though, if the attacker did target you, then you will need some |
| 20 |
more security tools (intrusion detection, etc...). |
| 21 |
|
| 22 |
Good luck! |
| 23 |
Simon |
| 24 |
|
| 25 |
Steve wrote: |
| 26 |
> I've recently discovered a curious pattern emerging in my system log |
| 27 |
> with failed login attempts via ssh. |
| 28 |
> |
| 29 |
> Previously, I noticed dictionary attacks launched - which were easy to |
| 30 |
> detect... and I've a process to block the IP address of any host that |
| 31 |
> repeatedly fails to authenticate. |
| 32 |
> |
| 33 |
> What I see now is quite different... I'm seeing a dictionary attack |
| 34 |
> originating from a wide range of IP addresses - testing user-names in |
| 35 |
> sequence... it has been in progress since 22nd November 2008 and has |
| 36 |
> tried 7195 user names in alphabetical order from 521 distinct hosts - |
| 37 |
> with no successive two attempts from the same host. |
| 38 |
> |
| 39 |
> I'm not particularly concerned - since I'm confident that all my users |
| 40 |
> have strong passwords... but it strikes me that this data identifies a |
| 41 |
> bot-net that is clearly malicious attempting to break passwords. |
| 42 |
> |
| 43 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
| 44 |
> disable password authentication entirely... but I keep thinking that |
| 45 |
> there has to be something better I can do... any suggestions? Is there |
| 46 |
> a simple way to integrate a block-list of known-compromised hosts into |
| 47 |
> IPtables - rather like my postfix is configured to drop connections from |
| 48 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
| 49 |
> example. |
| 50 |
> |
| 51 |
> Break in attempts today (attempted username/IP address): |
| 52 |
> -- |
| 53 |
> huck 190.60.41.82 |
| 54 |
> huckleberry 81.196.122.2 |
| 55 |
> huckleberry 58.39.145.213 |
| 56 |
> huckleberry 60.230.184.143 |
| 57 |
> hue 58.196.4.2 |
| 58 |
> hue 83.228.92.228 |
| 59 |
> huela 193.41.235.225 |
| 60 |
> huela 193.41.235.225 |
| 61 |
> huey 201.21.216.198 |
| 62 |
> huey 81.149.101.27 |
| 63 |
> hugh 200.123.174.145 |
| 64 |
> hugh 83.228.92.228 |
| 65 |
> hugh 212.46.24.146 |
| 66 |
> hugo 195.234.169.138 |
| 67 |
> hugo 193.86.111.6 |
| 68 |
> hugo 201.224.199.201 |
| 69 |
> hume 69.217.30.214 |
| 70 |
> hume 80.118.132.88 |
| 71 |
> hummer 71.166.159.177 |
| 72 |
> hummer 200.126.119.91 |
| 73 |
> hummer 61.4.210.33 |
| 74 |
> humphrey 80.34.55.88 |
| 75 |
> humphrey 213.163.19.158 |
| 76 |
> humvee 85.222.53.48 |
| 77 |
> humvee 80.24.4.23 |
| 78 |
> hung 61.47.31.130 |
| 79 |
> hung 70.46.140.187 |
| 80 |
> hunter 67.40.86.204 |
| 81 |
> hunter 83.228.92.228 |
| 82 |
> hunter 200.60.156.90 |
| 83 |
> huong 207.250.220.196 |
| 84 |
> huong 125.63.77.3 |
| 85 |
> huong 200.62.142.212 |
| 86 |
> huslu 219.93.187.38 |
| 87 |
> huslu 121.223.228.249 |
| 88 |
> huslu 200.29.135.50 |
| 89 |
> hussein 200.60.156.90 |
| 90 |
> hussein 200.6.220.46 |
| 91 |
> hussein 125.63.77.3 |
| 92 |
> huy 60.191.111.234 |
| 93 |
> huy 200.79.25.39 |
| 94 |
> huyen 213.136.105.130 |
| 95 |
> huyen 190.144.61.58 |
| 96 |
> huyen 121.33.199.37 |
| 97 |
> hy 121.33.199.37 |
| 98 |
> hy 90.190.96.46 |
| 99 |
> hyacinth 81.196.122.2 |
| 100 |
> hyacinth 189.43.21.244 |
| 101 |
> hyacinth 99.242.205.242 |
| 102 |
> hyman 201.21.216.198 |
| 103 |
> hypatia 218.28.143.246 |
| 104 |
> hypatia 195.234.169.138 |
| 105 |
> iain 200.118.119.48 |
| 106 |
> iain 124.42.124.87 |
| 107 |
> iain 194.224.118.61 |
| 108 |
> ian 189.56.92.42 |
| 109 |
> ian 201.28.119.60 |
| 110 |
> ian 210.187.18.199 |
| 111 |
> ianna 211.154.254.120 |
| 112 |
> ianna 84.242.66.10 |
| 113 |
> ianna 193.41.235.225 |
| 114 |
> ianthe 81.246.26.179 |
| 115 |
> ibtesam 87.30.163.87 |
| 116 |
> ichabod 201.251.61.108 |
| 117 |
> ida 62.61.141.93 |
| 118 |
> ida 80.24.4.23 |
| 119 |
> idalee 85.222.53.48 |
| 120 |
> idalee 190.144.61.58 |
| 121 |
> -- |
| 122 |
> |
| 123 |
> |
| 124 |
> |
Archives