1 |
I've recently discovered a curious pattern emerging in my system log |
2 |
with failed login attempts via ssh. |
3 |
|
4 |
Previously, I noticed dictionary attacks launched - which were easy to |
5 |
detect... and I've a process to block the IP address of any host that |
6 |
repeatedly fails to authenticate. |
7 |
|
8 |
What I see now is quite different... I'm seeing a dictionary attack |
9 |
originating from a wide range of IP addresses - testing user-names in |
10 |
sequence... it has been in progress since 22nd November 2008 and has |
11 |
tried 7195 user names in alphabetical order from 521 distinct hosts - |
12 |
with no successive two attempts from the same host. |
13 |
|
14 |
I'm not particularly concerned - since I'm confident that all my users |
15 |
have strong passwords... but it strikes me that this data identifies a |
16 |
bot-net that is clearly malicious attempting to break passwords. |
17 |
|
18 |
Sure, I could use IPtables to block all these bad ports... or... I could |
19 |
disable password authentication entirely... but I keep thinking that |
20 |
there has to be something better I can do... any suggestions? Is there |
21 |
a simple way to integrate a block-list of known-compromised hosts into |
22 |
IPtables - rather like my postfix is configured to drop connections from |
23 |
known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
24 |
example. |
25 |
|
26 |
Break in attempts today (attempted username/IP address): |
27 |
-- |
28 |
huck 190.60.41.82 |
29 |
huckleberry 81.196.122.2 |
30 |
huckleberry 58.39.145.213 |
31 |
huckleberry 60.230.184.143 |
32 |
hue 58.196.4.2 |
33 |
hue 83.228.92.228 |
34 |
huela 193.41.235.225 |
35 |
huela 193.41.235.225 |
36 |
huey 201.21.216.198 |
37 |
huey 81.149.101.27 |
38 |
hugh 200.123.174.145 |
39 |
hugh 83.228.92.228 |
40 |
hugh 212.46.24.146 |
41 |
hugo 195.234.169.138 |
42 |
hugo 193.86.111.6 |
43 |
hugo 201.224.199.201 |
44 |
hume 69.217.30.214 |
45 |
hume 80.118.132.88 |
46 |
hummer 71.166.159.177 |
47 |
hummer 200.126.119.91 |
48 |
hummer 61.4.210.33 |
49 |
humphrey 80.34.55.88 |
50 |
humphrey 213.163.19.158 |
51 |
humvee 85.222.53.48 |
52 |
humvee 80.24.4.23 |
53 |
hung 61.47.31.130 |
54 |
hung 70.46.140.187 |
55 |
hunter 67.40.86.204 |
56 |
hunter 83.228.92.228 |
57 |
hunter 200.60.156.90 |
58 |
huong 207.250.220.196 |
59 |
huong 125.63.77.3 |
60 |
huong 200.62.142.212 |
61 |
huslu 219.93.187.38 |
62 |
huslu 121.223.228.249 |
63 |
huslu 200.29.135.50 |
64 |
hussein 200.60.156.90 |
65 |
hussein 200.6.220.46 |
66 |
hussein 125.63.77.3 |
67 |
huy 60.191.111.234 |
68 |
huy 200.79.25.39 |
69 |
huyen 213.136.105.130 |
70 |
huyen 190.144.61.58 |
71 |
huyen 121.33.199.37 |
72 |
hy 121.33.199.37 |
73 |
hy 90.190.96.46 |
74 |
hyacinth 81.196.122.2 |
75 |
hyacinth 189.43.21.244 |
76 |
hyacinth 99.242.205.242 |
77 |
hyman 201.21.216.198 |
78 |
hypatia 218.28.143.246 |
79 |
hypatia 195.234.169.138 |
80 |
iain 200.118.119.48 |
81 |
iain 124.42.124.87 |
82 |
iain 194.224.118.61 |
83 |
ian 189.56.92.42 |
84 |
ian 201.28.119.60 |
85 |
ian 210.187.18.199 |
86 |
ianna 211.154.254.120 |
87 |
ianna 84.242.66.10 |
88 |
ianna 193.41.235.225 |
89 |
ianthe 81.246.26.179 |
90 |
ibtesam 87.30.163.87 |
91 |
ichabod 201.251.61.108 |
92 |
ida 62.61.141.93 |
93 |
ida 80.24.4.23 |
94 |
idalee 85.222.53.48 |
95 |
idalee 190.144.61.58 |
96 |
-- |