On Wednesday 03 December 2008 22:02:43 Steve wrote: > I've recently discovered a curious pattern emerging in my system log > with failed login attempts via ssh. > > Previously, I noticed dictionary attacks launched - which were easy to > detect... and I've a process to block the IP address of any host that > repeatedly fails to authenticate. > > What I see now is quite different... I'm seeing a dictionary attack > originating from a wide range of IP addresses - testing user-names in > sequence... it has been in progress since 22nd November 2008 and has > tried 7195 user names in alphabetical order from 521 distinct hosts - > with no successive two attempts from the same host.
Slashdot yesterday, read the front page It seems to be a co-ordinated and very well synchronized stealth bot-net. You are one of many that has noticed this. I am noticing scans on machines that have never been scanned before in all the time they have been up. You should indeed be very concerned and take extra special due care with your security arrangements currently. In fact, if you admin machines that are in any way critical, you really *really* should be undertaking a thorough security audit and make very sure you have done everything and covered all your bases. -- alan dot mckinnon at gmail dot com
