Re: [tlug] attack via ssh? (don't panic :-P)

[Michael Reinsch <mr@example.com>]

Hi!

On Fri, 13 May 2005 19:06:09 +0900
"Stephen J. Turnbull" <stephen@example.com> wrote:

> sshd[15304]: Failed password for illegal user stephanie from
> 217.13.10.212 port 49443 ssh2 
> sshd[15306]: Failed password for root from 217.13.10.212 port 49547
> ssh2
> 
> Anybody know what's going on here?  I guess it's just a "transitive
> trust" attack using passwords from cracked boxes?

My guess: script kiddies with too much time running some script that
tries common username / password combinations.

I've been seeing this sine over a year now, but those attacks are
getting more and more. It is mainly just annoying, but if you have
several users on your server it is also a bit scary, because you never
know whether or not your users chose a good password.

In my case I also cannot predict from which IP address I and my users
are going to login, so static rules aren't very helpful.

So I've written a small script that keeps an eye on those login
attempts and blocks the corresponding IP address after some failed
login attempts for about an hour. The heuristic used by this script to
detect those attacks was designed to be very simple and not to
interfere with normal user activity.

I'm planning to release this script some time soon - well, sooner if
someone is really interested ;-)

-- 
  Michael Reinsch <mr@example.com>                      http://mr.uue.org/
------------------------------------------------------------------------

Attachment: pgp00000.pgp
Description: PGP signature