1 |
I noticed the same thing on my host several weeks ago. |
2 |
|
3 |
I strongly suggest removing root access to your ssh, root is probably being |
4 |
tried by more than 50% of all login attempts... the other trials are |
5 |
semi-intelligent random usernames (ie, users that might really well exists, like |
6 |
'apache' etc... but other usernames which may not like 'albert'). |
7 |
If your username is not part of the list of attempts, then it won't be tried |
8 |
much, and I once found out that if your password is alphanumeric with lower and |
9 |
upper cases, the hacker as a worst chance of finding your password in |
10 |
(26*2+10)^8(chars long) = 62^8 = 2.18e14 steps or 218 millions of millions of |
11 |
steps. This is assuming they try the correct username each time! |
12 |
|
13 |
The other thing you should do is place ssh on another port, very high. IIRC, |
14 |
port numbers are 16bits and can go as high as 65k... you could use 22xxx where |
15 |
xxx is a random favorite number for example. |
16 |
|
17 |
Since it is very unlikely that the attacker is targeting you specifically, |
18 |
changing the port number (and removing root access) will very likely stop the |
19 |
attack forever. Though, if the attacker did target you, then you will need some |
20 |
more security tools (intrusion detection, etc...). |
21 |
|
22 |
Good luck! |
23 |
Simon |
24 |
|
25 |
Steve wrote: |
26 |
> I've recently discovered a curious pattern emerging in my system log |
27 |
> with failed login attempts via ssh. |
28 |
> |
29 |
> Previously, I noticed dictionary attacks launched - which were easy to |
30 |
> detect... and I've a process to block the IP address of any host that |
31 |
> repeatedly fails to authenticate. |
32 |
> |
33 |
> What I see now is quite different... I'm seeing a dictionary attack |
34 |
> originating from a wide range of IP addresses - testing user-names in |
35 |
> sequence... it has been in progress since 22nd November 2008 and has |
36 |
> tried 7195 user names in alphabetical order from 521 distinct hosts - |
37 |
> with no successive two attempts from the same host. |
38 |
> |
39 |
> I'm not particularly concerned - since I'm confident that all my users |
40 |
> have strong passwords... but it strikes me that this data identifies a |
41 |
> bot-net that is clearly malicious attempting to break passwords. |
42 |
> |
43 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
44 |
> disable password authentication entirely... but I keep thinking that |
45 |
> there has to be something better I can do... any suggestions? Is there |
46 |
> a simple way to integrate a block-list of known-compromised hosts into |
47 |
> IPtables - rather like my postfix is configured to drop connections from |
48 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
49 |
> example. |
50 |
> |
51 |
> Break in attempts today (attempted username/IP address): |
52 |
> -- |
53 |
> huck 190.60.41.82 |
54 |
> huckleberry 81.196.122.2 |
55 |
> huckleberry 58.39.145.213 |
56 |
> huckleberry 60.230.184.143 |
57 |
> hue 58.196.4.2 |
58 |
> hue 83.228.92.228 |
59 |
> huela 193.41.235.225 |
60 |
> huela 193.41.235.225 |
61 |
> huey 201.21.216.198 |
62 |
> huey 81.149.101.27 |
63 |
> hugh 200.123.174.145 |
64 |
> hugh 83.228.92.228 |
65 |
> hugh 212.46.24.146 |
66 |
> hugo 195.234.169.138 |
67 |
> hugo 193.86.111.6 |
68 |
> hugo 201.224.199.201 |
69 |
> hume 69.217.30.214 |
70 |
> hume 80.118.132.88 |
71 |
> hummer 71.166.159.177 |
72 |
> hummer 200.126.119.91 |
73 |
> hummer 61.4.210.33 |
74 |
> humphrey 80.34.55.88 |
75 |
> humphrey 213.163.19.158 |
76 |
> humvee 85.222.53.48 |
77 |
> humvee 80.24.4.23 |
78 |
> hung 61.47.31.130 |
79 |
> hung 70.46.140.187 |
80 |
> hunter 67.40.86.204 |
81 |
> hunter 83.228.92.228 |
82 |
> hunter 200.60.156.90 |
83 |
> huong 207.250.220.196 |
84 |
> huong 125.63.77.3 |
85 |
> huong 200.62.142.212 |
86 |
> huslu 219.93.187.38 |
87 |
> huslu 121.223.228.249 |
88 |
> huslu 200.29.135.50 |
89 |
> hussein 200.60.156.90 |
90 |
> hussein 200.6.220.46 |
91 |
> hussein 125.63.77.3 |
92 |
> huy 60.191.111.234 |
93 |
> huy 200.79.25.39 |
94 |
> huyen 213.136.105.130 |
95 |
> huyen 190.144.61.58 |
96 |
> huyen 121.33.199.37 |
97 |
> hy 121.33.199.37 |
98 |
> hy 90.190.96.46 |
99 |
> hyacinth 81.196.122.2 |
100 |
> hyacinth 189.43.21.244 |
101 |
> hyacinth 99.242.205.242 |
102 |
> hyman 201.21.216.198 |
103 |
> hypatia 218.28.143.246 |
104 |
> hypatia 195.234.169.138 |
105 |
> iain 200.118.119.48 |
106 |
> iain 124.42.124.87 |
107 |
> iain 194.224.118.61 |
108 |
> ian 189.56.92.42 |
109 |
> ian 201.28.119.60 |
110 |
> ian 210.187.18.199 |
111 |
> ianna 211.154.254.120 |
112 |
> ianna 84.242.66.10 |
113 |
> ianna 193.41.235.225 |
114 |
> ianthe 81.246.26.179 |
115 |
> ibtesam 87.30.163.87 |
116 |
> ichabod 201.251.61.108 |
117 |
> ida 62.61.141.93 |
118 |
> ida 80.24.4.23 |
119 |
> idalee 85.222.53.48 |
120 |
> idalee 190.144.61.58 |
121 |
> -- |
122 |
> |
123 |
> |
124 |
> |