[thelist] SSH login attacks

Ron ronr at linuxdude.com
Thu May 5 07:52:58 CDT 2005


A Maynes: You must be a windows user. The logs entries he posted are just
standard logging for *nix machines that get emailed to root everyday. Anyone
that runs a nix box is very familar with them.

Getafixx: I use to send emails to the abuse address listed in the output 
from
whois -h <address>
but it's gotten to frequent now. However, when I did, most would result in a
reply thanking me for making them (the hosting companies usually) aware 
of it.
Now, I just run a script that adds a rule to the firewall if someone 
from the
same IP tries to login with different names.


A Maynes wrote:

>How do you know these are attacks?
>
>What program would they being using and what are they looking for?  
>
>Have you got a firewall
>
>Andrew
>
>  
>
>>-----Original Message-----
>>From: Getafixx [mailto:getafixx at getafixx.com] 
>>Sent: 05 May 2005 11:47
>>To: thelist at lists.evolt.org
>>Subject: [thelist] SSH login attacks
>>
>>
>>Hello...
>>
>>I have been reading my server mails and have noticed that I 
>>am getting 
>>SSH script kiddie attacks, where I get up to 5000 attempted 
>>SSH logins 
>>from mostly the same domain (ie the same domain attacks one day, and 
>>then it is another domain the next day).
>>
>>a days sample of the attacks....
>>       apache (server1040.webserver44.com ): 4 Time(s)
>>       unknown (server1040.webserver44.com ): 168 Time(s)
>>       nobody (217.151.237.56 ): 1 Time(s)
>>       root (server1040.webserver44.com ): 236 Time(s)
>>       operator (server1040.webserver44.com ): 4 Time(s)
>>       nobody (server1040.webserver44.com ): 4 Time(s)
>>       adm (server1040.webserver44.com ): 8 Time(s)
>>       mysql (server1040.webserver44.com ): 4 Time(s)
>>
>>...
>>Failed logins from these:
>>    account/password from 216.74.88.254: 4 Time(s)
>>    adam/password from 216.74.88.254: 4 Time(s)
>>    adm/password from 216.74.88.254: 8 Time(s)
>>    alan/password from 216.74.88.254: 4 Time(s)
>>    apache/password from 216.74.88.254: 4 Time(s)
>>    backup/password from 216.74.88.254: 4 Time(s)
>>    cip51/password from 216.74.88.254: 4 Time(s)
>>    cip52/password from 216.74.88.254: 4 Time(s)
>>    cosmin/password from 216.74.88.254: 4 Time(s)
>>    cyrus/password from 216.74.88.254: 4 Time(s)
>>    data/password from 216.74.88.254: 4 Time(s)
>>    frank/password from 216.74.88.254: 4 Time(s)
>>    george/password from 216.74.88.254: 4 Time(s)
>>    henry/password from 216.74.88.254: 4 Time(s)
>>    horde/password from 216.74.88.254: 4 Time(s)
>>    iceuser/password from 216.74.88.254: 4 Time(s)
>>    irc/password from 216.74.88.254: 8 Time(s)
>>    jane/password from 216.74.88.254: 4 Time(s)
>>    john/password from 216.74.88.254: 4 Time(s)
>>    master/password from 216.74.88.254: 4 Time(s)
>>    matt/password from 216.74.88.254: 4 Time(s)
>>    mysql/password from 216.74.88.254: 4 Time(s)
>>    nobody/password from 216.74.88.254: 4 Time(s)
>>    nobody/password from 217.151.237.56: 1 Time(s)
>>    noc/password from 216.74.88.254: 4 Time(s)
>>    operator/password from 216.74.88.254: 4 Time(s)
>>    oracle/password from 216.74.88.254: 4 Time(s)
>>    pamela/password from 216.74.88.254: 4 Time(s)
>>    patrick/password from 216.74.88.254: 8 Time(s)
>>    rolo/password from 216.74.88.254: 4 Time(s)
>>    root/password from 216.74.88.254: 236 Time(s)
>>    server/password from 216.74.88.254: 4 Time(s)
>>    sybase/password from 216.74.88.254: 4 Time(s)
>>    test/password from 216.74.88.254: 20 Time(s)
>>    user/password from 216.74.88.254: 12 Time(s)
>>    web/password from 216.74.88.254: 8 Time(s)
>>    webmaster/password from 216.74.88.254: 4 Time(s)
>>    www-data/password from 216.74.88.254: 4 Time(s)
>>    www/password from 216.74.88.254: 4 Time(s)
>>    wwwrun/password from 216.74.88.254: 4 Time(s)
>>
>>the script seams to try 4 passwords for each account. But 
>>frankly they 
>>are trying accounts that no one in their right mind would set 
>>up anyway. 
>>(apart from root)
>>
>>I want to find some way of massivlely delaying the login prompt or 
>>anything coming back to the attacker so that all my machine 
>>does is act 
>>like a black hole, and will eventually return an invalid 
>>login, or again 
>>go away for a few mins, thus denying the attackers valuable time for 
>>another attempt.
>>
>>So do you attempt to check what login attempts are coming in, 
>>and filter 
>>what happens based on incoming IP and or a list of trusted sites? I 
>>imagine that this way is pretty tedious and time consuming.
>>
>>OR do you have the first attempt return quickyly and then 
>>later attempts 
>>from the same IP (even if they are a few seconds appart) jut keep 
>>squaring the time taken to return, so 1 2 4 16 96 9216 84934656 
>>7213895789838336 and so on.. so that you are just slowly killing the 
>>attempts.
>>
>>So now my question how do you do that? and how hard is it?
>>
>>thanks in advance.
>>
>>Justin
>>
>>
>>-- 
>>==============================================================
>>Justin / Getafixx                                07967 638 529
>>mailto:qwerty1 at getafixx.com
>>
>>    
>>
>http://getafixx.com
>http://getafixxhosting.com for really cheap web hosting
>==============================================================
>
>  
>



More information about the thelist mailing list