On Jul 27, 2005, at 11:29 AM, R. Scott Belford wrote:
Slashdot recently referenced a good article about the growing
number of Brute Force Attacks against ssh
http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%
20Attacks/
Night after night my server is one whose logs fill with thousands
of lines like these:
Security Events
=-=-=-=-=-=-=-=
Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user
daisy from ::ffff:217.106.234.86 port 36812 ssh2
Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user
dorina from ::ffff:217.106.234.86 port 36912 ssh2
Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user
marian from ::ffff:217.106.234.86 port 37011 ssh2
Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user
juan from ::ffff:217.106.234.86 port 37114 ssh2
Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user
don from ::ffff:217.106.234.86 port 37212 ssh2
Since the beginning of July we've turned away nearly 5500 of these,
and 16 more attempts that resulted in
"Did not receive identification string from <IP.AD.DR.ESS>"
its been going on for at least a year, possibly longer. (I'm trying
to forget all that came before Hawaii.)
Here are the most popular names they try (and the number of times
they've tried them):
368 admin
125 user
87 administrator
37 test
32 guest
29 adm
22 account
21 info
17 oracle
17 abuse
17 aaron
16 tomcat
15 webadmin
14 pgsql
14 adachi
14 abe
14 a4
13 michael
13 fax
12 sales
12 mike
12 george
12 cyrus
12 angel
12 admins
11 web
11 richard
11 cary
10 webmaster
10 rpm
10 nicole
I don't allow Root logins and I only allow trusted users.
You could turn off password authentication. (Its what I do. A bit
more admin headache up-front, but most people love not having to
remember passwords. It does, however, open you a bit to *their*
security practices (but so do passwords).
How are others handling this? Do you block the IP address? If so,
does it help, or are you still found by yet another zombie? Any
suggestions or insight are welcome.
Some advocate dynamic port knocking: http://www.security.org.sg/code/
portknock1.html
Some don't: http://software.newsforge.com/software/
04/08/02/1954253.shtml
You can auto-blacklist as well: http://www.pettingers.org/code/
sshblack.html
Jim