1 |
On Wednesday 03 December 2008 22:02:43 Steve wrote: |
2 |
> I've recently discovered a curious pattern emerging in my system log |
3 |
> with failed login attempts via ssh. |
4 |
> |
5 |
> Previously, I noticed dictionary attacks launched - which were easy to |
6 |
> detect... and I've a process to block the IP address of any host that |
7 |
> repeatedly fails to authenticate. |
8 |
> |
9 |
> What I see now is quite different... I'm seeing a dictionary attack |
10 |
> originating from a wide range of IP addresses - testing user-names in |
11 |
> sequence... it has been in progress since 22nd November 2008 and has |
12 |
> tried 7195 user names in alphabetical order from 521 distinct hosts - |
13 |
> with no successive two attempts from the same host. |
14 |
|
15 |
Slashdot yesterday, read the front page |
16 |
|
17 |
It seems to be a co-ordinated and very well synchronized stealth bot-net. You |
18 |
are one of many that has noticed this. I am noticing scans on machines that |
19 |
have never been scanned before in all the time they have been up. |
20 |
|
21 |
You should indeed be very concerned and take extra special due care with your |
22 |
security arrangements currently. In fact, if you admin machines that are in |
23 |
any way critical, you really *really* should be undertaking a thorough |
24 |
security audit and make very sure you have done everything and covered all |
25 |
your bases. |
26 |
|
27 |
|
28 |
|
29 |
-- |
30 |
alan dot mckinnon at gmail dot com |