[thelist] SSH login attacks
Getafixx
getafixx at getafixx.com
Thu May 5 05:47:07 CDT 2005
Hello...
I have been reading my server mails and have noticed that I am getting
SSH script kiddie attacks, where I get up to 5000 attempted SSH logins
from mostly the same domain (ie the same domain attacks one day, and
then it is another domain the next day).
a days sample of the attacks....
apache (server1040.webserver44.com ): 4 Time(s)
unknown (server1040.webserver44.com ): 168 Time(s)
nobody (217.151.237.56 ): 1 Time(s)
root (server1040.webserver44.com ): 236 Time(s)
operator (server1040.webserver44.com ): 4 Time(s)
nobody (server1040.webserver44.com ): 4 Time(s)
adm (server1040.webserver44.com ): 8 Time(s)
mysql (server1040.webserver44.com ): 4 Time(s)
...
Failed logins from these:
account/password from 216.74.88.254: 4 Time(s)
adam/password from 216.74.88.254: 4 Time(s)
adm/password from 216.74.88.254: 8 Time(s)
alan/password from 216.74.88.254: 4 Time(s)
apache/password from 216.74.88.254: 4 Time(s)
backup/password from 216.74.88.254: 4 Time(s)
cip51/password from 216.74.88.254: 4 Time(s)
cip52/password from 216.74.88.254: 4 Time(s)
cosmin/password from 216.74.88.254: 4 Time(s)
cyrus/password from 216.74.88.254: 4 Time(s)
data/password from 216.74.88.254: 4 Time(s)
frank/password from 216.74.88.254: 4 Time(s)
george/password from 216.74.88.254: 4 Time(s)
henry/password from 216.74.88.254: 4 Time(s)
horde/password from 216.74.88.254: 4 Time(s)
iceuser/password from 216.74.88.254: 4 Time(s)
irc/password from 216.74.88.254: 8 Time(s)
jane/password from 216.74.88.254: 4 Time(s)
john/password from 216.74.88.254: 4 Time(s)
master/password from 216.74.88.254: 4 Time(s)
matt/password from 216.74.88.254: 4 Time(s)
mysql/password from 216.74.88.254: 4 Time(s)
nobody/password from 216.74.88.254: 4 Time(s)
nobody/password from 217.151.237.56: 1 Time(s)
noc/password from 216.74.88.254: 4 Time(s)
operator/password from 216.74.88.254: 4 Time(s)
oracle/password from 216.74.88.254: 4 Time(s)
pamela/password from 216.74.88.254: 4 Time(s)
patrick/password from 216.74.88.254: 8 Time(s)
rolo/password from 216.74.88.254: 4 Time(s)
root/password from 216.74.88.254: 236 Time(s)
server/password from 216.74.88.254: 4 Time(s)
sybase/password from 216.74.88.254: 4 Time(s)
test/password from 216.74.88.254: 20 Time(s)
user/password from 216.74.88.254: 12 Time(s)
web/password from 216.74.88.254: 8 Time(s)
webmaster/password from 216.74.88.254: 4 Time(s)
www-data/password from 216.74.88.254: 4 Time(s)
www/password from 216.74.88.254: 4 Time(s)
wwwrun/password from 216.74.88.254: 4 Time(s)
the script seams to try 4 passwords for each account. But frankly they
are trying accounts that no one in their right mind would set up anyway.
(apart from root)
I want to find some way of massivlely delaying the login prompt or
anything coming back to the attacker so that all my machine does is act
like a black hole, and will eventually return an invalid login, or again
go away for a few mins, thus denying the attackers valuable time for
another attempt.
So do you attempt to check what login attempts are coming in, and filter
what happens based on incoming IP and or a list of trusted sites? I
imagine that this way is pretty tedious and time consuming.
OR do you have the first attempt return quickyly and then later attempts
from the same IP (even if they are a few seconds appart) jut keep
squaring the time taken to return, so 1 2 4 16 96 9216 84934656
7213895789838336 and so on.. so that you are just slowly killing the
attempts.
So now my question how do you do that? and how hard is it?
thanks in advance.
Justin
--
==============================================================
Justin / Getafixx 07967 638 529
mailto:qwerty1 at getafixx.com
http://getafixx.com
http://getafixxhosting.com for really cheap web hosting
==============================================================
More information about the thelist
mailing list