What's the strategy for bad guys guessing a few ssh passwords?
Ted Roche
tedroche at gmail.com
Sun Jun 11 10:17:35 EDT 2017
For 36 hours now, one of my clients' servers has been logging ssh
login attempts from around the world, low volume, persistent, but more
frequent than usual. sshd is listening on a non-standard port, just to
minimize the garbage in the logs.
A couple of attempts is normal; we've seen that for years. But this is
several each hour, and each hour an IP from a different country:
Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
There's several levels of defense in use: firewalls, intrusion
detection, log monitoring, etc, so each script gets a few guesses and
the IP is then rejected.
In theory, the defenses should be sufficient, but I have a concern
that I'm missing their strategy here. It's not a DDOS, they are very
low volume. It will take them several millennia to guess enough
dictionary attack guesses to get through, so what's the point?
--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
More information about the gnhlug-discuss
mailing list