On Wed, Dec 3, 2008 at 2:02 PM, Steve <[EMAIL PROTECTED]> wrote: > I've recently discovered a curious pattern emerging in my system log > with failed login attempts via ssh. > > Previously, I noticed dictionary attacks launched - which were easy to > detect... and I've a process to block the IP address of any host that > repeatedly fails to authenticate. > > What I see now is quite different... I'm seeing a dictionary attack > originating from a wide range of IP addresses - testing user-names in > sequence... it has been in progress since 22nd November 2008 and has > tried 7195 user names in alphabetical order from 521 distinct hosts - > with no successive two attempts from the same host.
This has been going on all year, you're lucky if you just started getting it. :) AFAIK nobody has found any specific fingerprint or anything to block it by. The "solution" seems to be: only allow SSH from specific IP addresses, don't use port 22, don't use password auth, use some kind of portknocking, etc. as you already alluded to. If you Google for distributed ssh brute force attacks, there are some fairly detailed articles out there from earlier in the year. Good luck :) Paul
