[thelist] SSH login attacks
A Maynes
andrew at milords.com
Thu May 5 06:48:40 CDT 2005
How do you know these are attacks?
What program would they being using and what are they looking for?
Have you got a firewall
Andrew
> -----Original Message-----
> From: Getafixx [mailto:getafixx at getafixx.com]
> Sent: 05 May 2005 11:47
> To: thelist at lists.evolt.org
> Subject: [thelist] SSH login attacks
>
>
> Hello...
>
> I have been reading my server mails and have noticed that I
> am getting
> SSH script kiddie attacks, where I get up to 5000 attempted
> SSH logins
> from mostly the same domain (ie the same domain attacks one day, and
> then it is another domain the next day).
>
> a days sample of the attacks....
> apache (server1040.webserver44.com ): 4 Time(s)
> unknown (server1040.webserver44.com ): 168 Time(s)
> nobody (217.151.237.56 ): 1 Time(s)
> root (server1040.webserver44.com ): 236 Time(s)
> operator (server1040.webserver44.com ): 4 Time(s)
> nobody (server1040.webserver44.com ): 4 Time(s)
> adm (server1040.webserver44.com ): 8 Time(s)
> mysql (server1040.webserver44.com ): 4 Time(s)
>
> ...
> Failed logins from these:
> account/password from 216.74.88.254: 4 Time(s)
> adam/password from 216.74.88.254: 4 Time(s)
> adm/password from 216.74.88.254: 8 Time(s)
> alan/password from 216.74.88.254: 4 Time(s)
> apache/password from 216.74.88.254: 4 Time(s)
> backup/password from 216.74.88.254: 4 Time(s)
> cip51/password from 216.74.88.254: 4 Time(s)
> cip52/password from 216.74.88.254: 4 Time(s)
> cosmin/password from 216.74.88.254: 4 Time(s)
> cyrus/password from 216.74.88.254: 4 Time(s)
> data/password from 216.74.88.254: 4 Time(s)
> frank/password from 216.74.88.254: 4 Time(s)
> george/password from 216.74.88.254: 4 Time(s)
> henry/password from 216.74.88.254: 4 Time(s)
> horde/password from 216.74.88.254: 4 Time(s)
> iceuser/password from 216.74.88.254: 4 Time(s)
> irc/password from 216.74.88.254: 8 Time(s)
> jane/password from 216.74.88.254: 4 Time(s)
> john/password from 216.74.88.254: 4 Time(s)
> master/password from 216.74.88.254: 4 Time(s)
> matt/password from 216.74.88.254: 4 Time(s)
> mysql/password from 216.74.88.254: 4 Time(s)
> nobody/password from 216.74.88.254: 4 Time(s)
> nobody/password from 217.151.237.56: 1 Time(s)
> noc/password from 216.74.88.254: 4 Time(s)
> operator/password from 216.74.88.254: 4 Time(s)
> oracle/password from 216.74.88.254: 4 Time(s)
> pamela/password from 216.74.88.254: 4 Time(s)
> patrick/password from 216.74.88.254: 8 Time(s)
> rolo/password from 216.74.88.254: 4 Time(s)
> root/password from 216.74.88.254: 236 Time(s)
> server/password from 216.74.88.254: 4 Time(s)
> sybase/password from 216.74.88.254: 4 Time(s)
> test/password from 216.74.88.254: 20 Time(s)
> user/password from 216.74.88.254: 12 Time(s)
> web/password from 216.74.88.254: 8 Time(s)
> webmaster/password from 216.74.88.254: 4 Time(s)
> www-data/password from 216.74.88.254: 4 Time(s)
> www/password from 216.74.88.254: 4 Time(s)
> wwwrun/password from 216.74.88.254: 4 Time(s)
>
> the script seams to try 4 passwords for each account. But
> frankly they
> are trying accounts that no one in their right mind would set
> up anyway.
> (apart from root)
>
> I want to find some way of massivlely delaying the login prompt or
> anything coming back to the attacker so that all my machine
> does is act
> like a black hole, and will eventually return an invalid
> login, or again
> go away for a few mins, thus denying the attackers valuable time for
> another attempt.
>
> So do you attempt to check what login attempts are coming in,
> and filter
> what happens based on incoming IP and or a list of trusted sites? I
> imagine that this way is pretty tedious and time consuming.
>
> OR do you have the first attempt return quickyly and then
> later attempts
> from the same IP (even if they are a few seconds appart) jut keep
> squaring the time taken to return, so 1 2 4 16 96 9216 84934656
> 7213895789838336 and so on.. so that you are just slowly killing the
> attempts.
>
> So now my question how do you do that? and how hard is it?
>
> thanks in advance.
>
> Justin
>
>
> --
> ==============================================================
> Justin / Getafixx 07967 638 529
> mailto:qwerty1 at getafixx.com
>
http://getafixx.com
http://getafixxhosting.com for really cheap web hosting
==============================================================
--
* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !
More information about the thelist
mailing list