1 |
On Wed, Dec 3, 2008 at 2:02 PM, Steve <Gentoo_sjh@×××××××.uk> wrote: |
2 |
> I've recently discovered a curious pattern emerging in my system log |
3 |
> with failed login attempts via ssh. |
4 |
> |
5 |
> Previously, I noticed dictionary attacks launched - which were easy to |
6 |
> detect... and I've a process to block the IP address of any host that |
7 |
> repeatedly fails to authenticate. |
8 |
> |
9 |
> What I see now is quite different... I'm seeing a dictionary attack |
10 |
> originating from a wide range of IP addresses - testing user-names in |
11 |
> sequence... it has been in progress since 22nd November 2008 and has |
12 |
> tried 7195 user names in alphabetical order from 521 distinct hosts - |
13 |
> with no successive two attempts from the same host. |
14 |
|
15 |
This has been going on all year, you're lucky if you just started |
16 |
getting it. :) |
17 |
|
18 |
AFAIK nobody has found any specific fingerprint or anything to block |
19 |
it by. The "solution" seems to be: only allow SSH from specific IP |
20 |
addresses, don't use port 22, don't use password auth, use some kind |
21 |
of portknocking, etc. as you already alluded to. If you Google for |
22 |
distributed ssh brute force attacks, there are some fairly detailed |
23 |
articles out there from earlier in the year. |
24 |
|
25 |
Good luck :) |
26 |
|
27 |
Paul |