[thelist] SSH login attacks

A Maynes andrew at milords.com
Thu May 5 06:48:40 CDT 2005 

How do you know these are attacks?

What program would they being using and what are they looking for?  

Have you got a firewall

Andrew

> -----Original Message-----
> From: Getafixx [mailto:getafixx at getafixx.com] 
> Sent: 05 May 2005 11:47
> To: thelist at lists.evolt.org
> Subject: [thelist] SSH login attacks
> 
> 
> Hello...
> 
> I have been reading my server mails and have noticed that I 
> am getting 
> SSH script kiddie attacks, where I get up to 5000 attempted 
> SSH logins 
> from mostly the same domain (ie the same domain attacks one day, and 
> then it is another domain the next day).
> 
> a days sample of the attacks....
>        apache (server1040.webserver44.com ): 4 Time(s)
>        unknown (server1040.webserver44.com ): 168 Time(s)
>        nobody (217.151.237.56 ): 1 Time(s)
>        root (server1040.webserver44.com ): 236 Time(s)
>        operator (server1040.webserver44.com ): 4 Time(s)
>        nobody (server1040.webserver44.com ): 4 Time(s)
>        adm (server1040.webserver44.com ): 8 Time(s)
>        mysql (server1040.webserver44.com ): 4 Time(s)
> 
> ...
> Failed logins from these:
>     account/password from 216.74.88.254: 4 Time(s)
>     adam/password from 216.74.88.254: 4 Time(s)
>     adm/password from 216.74.88.254: 8 Time(s)
>     alan/password from 216.74.88.254: 4 Time(s)
>     apache/password from 216.74.88.254: 4 Time(s)
>     backup/password from 216.74.88.254: 4 Time(s)
>     cip51/password from 216.74.88.254: 4 Time(s)
>     cip52/password from 216.74.88.254: 4 Time(s)
>     cosmin/password from 216.74.88.254: 4 Time(s)
>     cyrus/password from 216.74.88.254: 4 Time(s)
>     data/password from 216.74.88.254: 4 Time(s)
>     frank/password from 216.74.88.254: 4 Time(s)
>     george/password from 216.74.88.254: 4 Time(s)
>     henry/password from 216.74.88.254: 4 Time(s)
>     horde/password from 216.74.88.254: 4 Time(s)
>     iceuser/password from 216.74.88.254: 4 Time(s)
>     irc/password from 216.74.88.254: 8 Time(s)
>     jane/password from 216.74.88.254: 4 Time(s)
>     john/password from 216.74.88.254: 4 Time(s)
>     master/password from 216.74.88.254: 4 Time(s)
>     matt/password from 216.74.88.254: 4 Time(s)
>     mysql/password from 216.74.88.254: 4 Time(s)
>     nobody/password from 216.74.88.254: 4 Time(s)
>     nobody/password from 217.151.237.56: 1 Time(s)
>     noc/password from 216.74.88.254: 4 Time(s)
>     operator/password from 216.74.88.254: 4 Time(s)
>     oracle/password from 216.74.88.254: 4 Time(s)
>     pamela/password from 216.74.88.254: 4 Time(s)
>     patrick/password from 216.74.88.254: 8 Time(s)
>     rolo/password from 216.74.88.254: 4 Time(s)
>     root/password from 216.74.88.254: 236 Time(s)
>     server/password from 216.74.88.254: 4 Time(s)
>     sybase/password from 216.74.88.254: 4 Time(s)
>     test/password from 216.74.88.254: 20 Time(s)
>     user/password from 216.74.88.254: 12 Time(s)
>     web/password from 216.74.88.254: 8 Time(s)
>     webmaster/password from 216.74.88.254: 4 Time(s)
>     www-data/password from 216.74.88.254: 4 Time(s)
>     www/password from 216.74.88.254: 4 Time(s)
>     wwwrun/password from 216.74.88.254: 4 Time(s)
> 
> the script seams to try 4 passwords for each account. But 
> frankly they 
> are trying accounts that no one in their right mind would set 
> up anyway. 
> (apart from root)
> 
> I want to find some way of massivlely delaying the login prompt or 
> anything coming back to the attacker so that all my machine 
> does is act 
> like a black hole, and will eventually return an invalid 
> login, or again 
> go away for a few mins, thus denying the attackers valuable time for 
> another attempt.
> 
> So do you attempt to check what login attempts are coming in, 
> and filter 
> what happens based on incoming IP and or a list of trusted sites? I 
> imagine that this way is pretty tedious and time consuming.
> 
> OR do you have the first attempt return quickyly and then 
> later attempts 
> from the same IP (even if they are a few seconds appart) jut keep 
> squaring the time taken to return, so 1 2 4 16 96 9216 84934656 
> 7213895789838336 and so on.. so that you are just slowly killing the 
> attempts.
> 
> So now my question how do you do that? and how hard is it?
> 
> thanks in advance.
> 
> Justin
> 
> 
> -- 
> ==============================================================
> Justin / Getafixx                                07967 638 529
> mailto:qwerty1 at getafixx.com
> 
http://getafixx.com
http://getafixxhosting.com for really cheap web hosting
==============================================================

-- 

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt !

More information about the thelist mailing list