What's the strategy for bad guys guessing a few ssh passwords?

Mark Komarinski mkomarinski at wayga.org
Sun Jun 11 11:19:37 EDT 2017


sshguard is really good since it'll drop in a iptables rule to block an IP address after a number of attemps (and prevent knocking on other ports too).
Yubikey as 2FA is pretty nice too.
-------- Original message --------From: Bruce Dawson <jbd at codemeta.com> Date: 6/11/17  10:58 AM  (GMT-05:00) To: gnhlug-discuss at mail.gnhlug.org Subject: Re: What's the strategy for bad guys guessing a few ssh passwords? 
sshguard takes care of most of them (especially the high bandwidth ones).

The black hats don't care - they're looking for vulnerable systems. If 
they find one, they'll exploit it (or not).

Note that a while ago (more than a few years), comcast used to probe 
systems to see if they're vulnerable. Either they don't do that any 
more, or contract it out because I haven't see probes from any of their 
systems in years. This probably holds true for other ISPs, and various 
intelligence agencies in the world - both private and public, not to 
mention various disreputable enterprises.

--Bruce


On 06/11/2017 10:17 AM, Ted Roche wrote:
> For 36 hours now, one of my clients' servers has been logging ssh
> login attempts from around the world, low volume, persistent, but more
> frequent than usual. sshd is listening on a non-standard port, just to
> minimize the garbage in the logs.
>
> A couple of attempts is normal; we've seen that for years. But this is
> several each  hour, and each hour an IP from a different country:
> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>
> There's several levels of defense in use: firewalls, intrusion
> detection, log monitoring, etc, so each script gets a few guesses and
> the IP is then rejected.
>
> In theory, the defenses should be sufficient, but I have a concern
> that I'm missing their strategy here. It's not a DDOS, they are very
> low volume. It will take them several millennia to guess enough
> dictionary attack guesses to get through, so what's the point?
>

_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20170611/2bcd3632/attachment.html 


More information about the gnhlug-discuss mailing list