[thelist] SSH login attacks

Getafixx getafixx at getafixx.com
Thu May 5 07:05:12 CDT 2005 

because it is my server and I am aware of what users there are on it and 
who should be logging in and who shouldn't be.

Justin

A Maynes wrote:
> How do you know these are attacks?
> 
> What program would they being using and what are they looking for?  
> 
> Have you got a firewall
> 
> Andrew
> 
> 
>>-----Original Message-----
>>From: Getafixx [mailto:getafixx at getafixx.com] 
>>Sent: 05 May 2005 11:47
>>To: thelist at lists.evolt.org
>>Subject: [thelist] SSH login attacks
>>
>>
>>Hello...
>>
>>I have been reading my server mails and have noticed that I 
>>am getting 
>>SSH script kiddie attacks, where I get up to 5000 attempted 
>>SSH logins 
>>from mostly the same domain (ie the same domain attacks one day, and 
>>then it is another domain the next day).
>>
>>a days sample of the attacks....
>>       apache (server1040.webserver44.com ): 4 Time(s)
>>       unknown (server1040.webserver44.com ): 168 Time(s)
>>       nobody (217.151.237.56 ): 1 Time(s)
>>       root (server1040.webserver44.com ): 236 Time(s)
>>       operator (server1040.webserver44.com ): 4 Time(s)
>>       nobody (server1040.webserver44.com ): 4 Time(s)
>>       adm (server1040.webserver44.com ): 8 Time(s)
>>       mysql (server1040.webserver44.com ): 4 Time(s)
>>
>>...
>>Failed logins from these:
>>    account/password from 216.74.88.254: 4 Time(s)
>>    adam/password from 216.74.88.254: 4 Time(s)
>>    adm/password from 216.74.88.254: 8 Time(s)
>>    alan/password from 216.74.88.254: 4 Time(s)
>>    apache/password from 216.74.88.254: 4 Time(s)
>>    backup/password from 216.74.88.254: 4 Time(s)
>>    cip51/password from 216.74.88.254: 4 Time(s)
>>    cip52/password from 216.74.88.254: 4 Time(s)
>>    cosmin/password from 216.74.88.254: 4 Time(s)
>>    cyrus/password from 216.74.88.254: 4 Time(s)
>>    data/password from 216.74.88.254: 4 Time(s)
>>    frank/password from 216.74.88.254: 4 Time(s)
>>    george/password from 216.74.88.254: 4 Time(s)
>>    henry/password from 216.74.88.254: 4 Time(s)
>>    horde/password from 216.74.88.254: 4 Time(s)
>>    iceuser/password from 216.74.88.254: 4 Time(s)
>>    irc/password from 216.74.88.254: 8 Time(s)
>>    jane/password from 216.74.88.254: 4 Time(s)
>>    john/password from 216.74.88.254: 4 Time(s)
>>    master/password from 216.74.88.254: 4 Time(s)
>>    matt/password from 216.74.88.254: 4 Time(s)
>>    mysql/password from 216.74.88.254: 4 Time(s)
>>    nobody/password from 216.74.88.254: 4 Time(s)
>>    nobody/password from 217.151.237.56: 1 Time(s)
>>    noc/password from 216.74.88.254: 4 Time(s)
>>    operator/password from 216.74.88.254: 4 Time(s)
>>    oracle/password from 216.74.88.254: 4 Time(s)
>>    pamela/password from 216.74.88.254: 4 Time(s)
>>    patrick/password from 216.74.88.254: 8 Time(s)
>>    rolo/password from 216.74.88.254: 4 Time(s)
>>    root/password from 216.74.88.254: 236 Time(s)
>>    server/password from 216.74.88.254: 4 Time(s)
>>    sybase/password from 216.74.88.254: 4 Time(s)
>>    test/password from 216.74.88.254: 20 Time(s)
>>    user/password from 216.74.88.254: 12 Time(s)
>>    web/password from 216.74.88.254: 8 Time(s)
>>    webmaster/password from 216.74.88.254: 4 Time(s)
>>    www-data/password from 216.74.88.254: 4 Time(s)
>>    www/password from 216.74.88.254: 4 Time(s)
>>    wwwrun/password from 216.74.88.254: 4 Time(s)
>>
>>the script seams to try 4 passwords for each account. But 
>>frankly they 
>>are trying accounts that no one in their right mind would set 
>>up anyway. 
>>(apart from root)
>>
>>I want to find some way of massivlely delaying the login prompt or 
>>anything coming back to the attacker so that all my machine 
>>does is act 
>>like a black hole, and will eventually return an invalid 
>>login, or again 
>>go away for a few mins, thus denying the attackers valuable time for 
>>another attempt.
>>
>>So do you attempt to check what login attempts are coming in, 
>>and filter 
>>what happens based on incoming IP and or a list of trusted sites? I 
>>imagine that this way is pretty tedious and time consuming.
>>
>>OR do you have the first attempt return quickyly and then 
>>later attempts 
>>from the same IP (even if they are a few seconds appart) jut keep 
>>squaring the time taken to return, so 1 2 4 16 96 9216 84934656 
>>7213895789838336 and so on.. so that you are just slowly killing the 
>>attempts.
>>
>>So now my question how do you do that? and how hard is it?
>>
>>thanks in advance.
>>
>>Justin
>>
>>
>>-- 
>>==============================================================
>>Justin / Getafixx                                07967 638 529
>>mailto:qwerty1 at getafixx.com
>>
> 
> http://getafixx.com
> http://getafixxhosting.com for really cheap web hosting
> ==============================================================
> 

-- 
==============================================================
Justin / Getafixx                                07967 638 529
mailto:qwerty1 at getafixx.com

http://getafixx.com
http://getafixxhosting.com for really cheap web hosting
==============================================================

More information about the thelist mailing list