[thelist] SSH login attacks
Ron
ronr at linuxdude.com
Thu May 5 07:52:58 CDT 2005
A Maynes: You must be a windows user. The logs entries he posted are just
standard logging for *nix machines that get emailed to root everyday. Anyone
that runs a nix box is very familar with them.
Getafixx: I use to send emails to the abuse address listed in the output
from
whois -h <address>
but it's gotten to frequent now. However, when I did, most would result in a
reply thanking me for making them (the hosting companies usually) aware
of it.
Now, I just run a script that adds a rule to the firewall if someone
from the
same IP tries to login with different names.
A Maynes wrote:
>How do you know these are attacks?
>
>What program would they being using and what are they looking for?
>
>Have you got a firewall
>
>Andrew
>
>
>
>>-----Original Message-----
>>From: Getafixx [mailto:getafixx at getafixx.com]
>>Sent: 05 May 2005 11:47
>>To: thelist at lists.evolt.org
>>Subject: [thelist] SSH login attacks
>>
>>
>>Hello...
>>
>>I have been reading my server mails and have noticed that I
>>am getting
>>SSH script kiddie attacks, where I get up to 5000 attempted
>>SSH logins
>>from mostly the same domain (ie the same domain attacks one day, and
>>then it is another domain the next day).
>>
>>a days sample of the attacks....
>> apache (server1040.webserver44.com ): 4 Time(s)
>> unknown (server1040.webserver44.com ): 168 Time(s)
>> nobody (217.151.237.56 ): 1 Time(s)
>> root (server1040.webserver44.com ): 236 Time(s)
>> operator (server1040.webserver44.com ): 4 Time(s)
>> nobody (server1040.webserver44.com ): 4 Time(s)
>> adm (server1040.webserver44.com ): 8 Time(s)
>> mysql (server1040.webserver44.com ): 4 Time(s)
>>
>>...
>>Failed logins from these:
>> account/password from 216.74.88.254: 4 Time(s)
>> adam/password from 216.74.88.254: 4 Time(s)
>> adm/password from 216.74.88.254: 8 Time(s)
>> alan/password from 216.74.88.254: 4 Time(s)
>> apache/password from 216.74.88.254: 4 Time(s)
>> backup/password from 216.74.88.254: 4 Time(s)
>> cip51/password from 216.74.88.254: 4 Time(s)
>> cip52/password from 216.74.88.254: 4 Time(s)
>> cosmin/password from 216.74.88.254: 4 Time(s)
>> cyrus/password from 216.74.88.254: 4 Time(s)
>> data/password from 216.74.88.254: 4 Time(s)
>> frank/password from 216.74.88.254: 4 Time(s)
>> george/password from 216.74.88.254: 4 Time(s)
>> henry/password from 216.74.88.254: 4 Time(s)
>> horde/password from 216.74.88.254: 4 Time(s)
>> iceuser/password from 216.74.88.254: 4 Time(s)
>> irc/password from 216.74.88.254: 8 Time(s)
>> jane/password from 216.74.88.254: 4 Time(s)
>> john/password from 216.74.88.254: 4 Time(s)
>> master/password from 216.74.88.254: 4 Time(s)
>> matt/password from 216.74.88.254: 4 Time(s)
>> mysql/password from 216.74.88.254: 4 Time(s)
>> nobody/password from 216.74.88.254: 4 Time(s)
>> nobody/password from 217.151.237.56: 1 Time(s)
>> noc/password from 216.74.88.254: 4 Time(s)
>> operator/password from 216.74.88.254: 4 Time(s)
>> oracle/password from 216.74.88.254: 4 Time(s)
>> pamela/password from 216.74.88.254: 4 Time(s)
>> patrick/password from 216.74.88.254: 8 Time(s)
>> rolo/password from 216.74.88.254: 4 Time(s)
>> root/password from 216.74.88.254: 236 Time(s)
>> server/password from 216.74.88.254: 4 Time(s)
>> sybase/password from 216.74.88.254: 4 Time(s)
>> test/password from 216.74.88.254: 20 Time(s)
>> user/password from 216.74.88.254: 12 Time(s)
>> web/password from 216.74.88.254: 8 Time(s)
>> webmaster/password from 216.74.88.254: 4 Time(s)
>> www-data/password from 216.74.88.254: 4 Time(s)
>> www/password from 216.74.88.254: 4 Time(s)
>> wwwrun/password from 216.74.88.254: 4 Time(s)
>>
>>the script seams to try 4 passwords for each account. But
>>frankly they
>>are trying accounts that no one in their right mind would set
>>up anyway.
>>(apart from root)
>>
>>I want to find some way of massivlely delaying the login prompt or
>>anything coming back to the attacker so that all my machine
>>does is act
>>like a black hole, and will eventually return an invalid
>>login, or again
>>go away for a few mins, thus denying the attackers valuable time for
>>another attempt.
>>
>>So do you attempt to check what login attempts are coming in,
>>and filter
>>what happens based on incoming IP and or a list of trusted sites? I
>>imagine that this way is pretty tedious and time consuming.
>>
>>OR do you have the first attempt return quickyly and then
>>later attempts
>>from the same IP (even if they are a few seconds appart) jut keep
>>squaring the time taken to return, so 1 2 4 16 96 9216 84934656
>>7213895789838336 and so on.. so that you are just slowly killing the
>>attempts.
>>
>>So now my question how do you do that? and how hard is it?
>>
>>thanks in advance.
>>
>>Justin
>>
>>
>>--
>>==============================================================
>>Justin / Getafixx 07967 638 529
>>mailto:qwerty1 at getafixx.com
>>
>>
>>
>http://getafixx.com
>http://getafixxhosting.com for really cheap web hosting
>==============================================================
>
>
>
More information about the thelist
mailing list