Re: [LUAU] Handling Brute Force Attacks

[Jim Thompson]

On Jul 27, 2005, at 11:29 AM, R. Scott Belford wrote:
Slashdot recently referenced a good article about the growing  
number of Brute Force Attacks against ssh

http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force% 
20Attacks/

Night after night my server is one whose logs fill with thousands  
of lines like these:

Security Events
=-=-=-=-=-=-=-=
Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user  
daisy from ::ffff:217.106.234.86 port 36812 ssh2
Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user  
dorina from ::ffff:217.106.234.86 port 36912 ssh2
Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user  
marian from ::ffff:217.106.234.86 port 37011 ssh2
Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user  
juan from ::ffff:217.106.234.86 port 37114 ssh2
Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user  
don from ::ffff:217.106.234.86 port 37212 ssh2

Since the beginning of July we've turned away nearly 5500 of these,  
and 16 more attempts that resulted in
"Did not receive identification string from <IP.AD.DR.ESS>"

its been going on for at least a year, possibly longer.   (I'm trying  
to forget all that came before Hawaii.)

Here are the most popular names they try (and the number of times  
they've tried them):

    368 admin
    125 user
     87 administrator
     37 test
     32 guest
     29 adm
     22 account
     21 info
     17 oracle
     17 abuse
     17 aaron
     16 tomcat
     15 webadmin
     14 pgsql
     14 adachi
     14 abe
     14 a4
     13 michael
     13 fax
     12 sales
     12 mike
     12 george
     12 cyrus
     12 angel
     12 admins
     11 web
     11 richard
     11 cary
     10 webmaster
     10 rpm
     10 nicole

I don't allow Root logins and I only allow trusted users.

You could turn off password authentication.  (Its what I do.  A bit  
more admin headache up-front, but most people love not having to
remember passwords.  It does, however, open you a bit to *their*  
security practices (but so do passwords).

How are others handling this?  Do you block the IP address?  If so,  
does it help, or are you still found by yet another zombie?  Any  
suggestions or insight are welcome.

Some advocate dynamic port knocking: http://www.security.org.sg/code/ 
portknock1.html
Some don't: http://software.newsforge.com/software/ 
04/08/02/1954253.shtml

You can auto-blacklist as well:  http://www.pettingers.org/code/ 
sshblack.html

Jim