| 1 |
I've recently discovered a curious pattern emerging in my system log |
| 2 |
with failed login attempts via ssh. |
| 3 |
|
| 4 |
Previously, I noticed dictionary attacks launched - which were easy to |
| 5 |
detect... and I've a process to block the IP address of any host that |
| 6 |
repeatedly fails to authenticate. |
| 7 |
|
| 8 |
What I see now is quite different... I'm seeing a dictionary attack |
| 9 |
originating from a wide range of IP addresses - testing user-names in |
| 10 |
sequence... it has been in progress since 22nd November 2008 and has |
| 11 |
tried 7195 user names in alphabetical order from 521 distinct hosts - |
| 12 |
with no successive two attempts from the same host. |
| 13 |
|
| 14 |
I'm not particularly concerned - since I'm confident that all my users |
| 15 |
have strong passwords... but it strikes me that this data identifies a |
| 16 |
bot-net that is clearly malicious attempting to break passwords. |
| 17 |
|
| 18 |
Sure, I could use IPtables to block all these bad ports... or... I could |
| 19 |
disable password authentication entirely... but I keep thinking that |
| 20 |
there has to be something better I can do... any suggestions? Is there |
| 21 |
a simple way to integrate a block-list of known-compromised hosts into |
| 22 |
IPtables - rather like my postfix is configured to drop connections from |
| 23 |
known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
| 24 |
example. |
| 25 |
|
| 26 |
Break in attempts today (attempted username/IP address): |
| 27 |
-- |
| 28 |
huck 190.60.41.82 |
| 29 |
huckleberry 81.196.122.2 |
| 30 |
huckleberry 58.39.145.213 |
| 31 |
huckleberry 60.230.184.143 |
| 32 |
hue 58.196.4.2 |
| 33 |
hue 83.228.92.228 |
| 34 |
huela 193.41.235.225 |
| 35 |
huela 193.41.235.225 |
| 36 |
huey 201.21.216.198 |
| 37 |
huey 81.149.101.27 |
| 38 |
hugh 200.123.174.145 |
| 39 |
hugh 83.228.92.228 |
| 40 |
hugh 212.46.24.146 |
| 41 |
hugo 195.234.169.138 |
| 42 |
hugo 193.86.111.6 |
| 43 |
hugo 201.224.199.201 |
| 44 |
hume 69.217.30.214 |
| 45 |
hume 80.118.132.88 |
| 46 |
hummer 71.166.159.177 |
| 47 |
hummer 200.126.119.91 |
| 48 |
hummer 61.4.210.33 |
| 49 |
humphrey 80.34.55.88 |
| 50 |
humphrey 213.163.19.158 |
| 51 |
humvee 85.222.53.48 |
| 52 |
humvee 80.24.4.23 |
| 53 |
hung 61.47.31.130 |
| 54 |
hung 70.46.140.187 |
| 55 |
hunter 67.40.86.204 |
| 56 |
hunter 83.228.92.228 |
| 57 |
hunter 200.60.156.90 |
| 58 |
huong 207.250.220.196 |
| 59 |
huong 125.63.77.3 |
| 60 |
huong 200.62.142.212 |
| 61 |
huslu 219.93.187.38 |
| 62 |
huslu 121.223.228.249 |
| 63 |
huslu 200.29.135.50 |
| 64 |
hussein 200.60.156.90 |
| 65 |
hussein 200.6.220.46 |
| 66 |
hussein 125.63.77.3 |
| 67 |
huy 60.191.111.234 |
| 68 |
huy 200.79.25.39 |
| 69 |
huyen 213.136.105.130 |
| 70 |
huyen 190.144.61.58 |
| 71 |
huyen 121.33.199.37 |
| 72 |
hy 121.33.199.37 |
| 73 |
hy 90.190.96.46 |
| 74 |
hyacinth 81.196.122.2 |
| 75 |
hyacinth 189.43.21.244 |
| 76 |
hyacinth 99.242.205.242 |
| 77 |
hyman 201.21.216.198 |
| 78 |
hypatia 218.28.143.246 |
| 79 |
hypatia 195.234.169.138 |
| 80 |
iain 200.118.119.48 |
| 81 |
iain 124.42.124.87 |
| 82 |
iain 194.224.118.61 |
| 83 |
ian 189.56.92.42 |
| 84 |
ian 201.28.119.60 |
| 85 |
ian 210.187.18.199 |
| 86 |
ianna 211.154.254.120 |
| 87 |
ianna 84.242.66.10 |
| 88 |
ianna 193.41.235.225 |
| 89 |
ianthe 81.246.26.179 |
| 90 |
ibtesam 87.30.163.87 |
| 91 |
ichabod 201.251.61.108 |
| 92 |
ida 62.61.141.93 |
| 93 |
ida 80.24.4.23 |
| 94 |
idalee 85.222.53.48 |
| 95 |
idalee 190.144.61.58 |
| 96 |
-- |
Archives