What's the strategy for bad guys guessing a few ssh passwords?
Ted Roche
tedroche at gmail.com
Sun Jun 11 13:53:14 EDT 2017
Thanks, all for the recommendations. I hadn't seen sshguard before;
I'll give that a try.
I do have Fail2Ban in place, and have customized a number of scripts,
mostly for Apache (trying to invoke asp scripts on my LAMP server
results in instaban, for example) and it is what it reporting the ssh
login failures.
I have always seen them, in the 10 years I've had this server running,
but the frequency, periodicity and international variety (usually
they're all China, Russian, Romania) seemed like there might be
something else going on.
Be careful out there.
On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <mkomarinski at wayga.org> wrote:
> sshguard is really good since it'll drop in a iptables rule to block an IP
> address after a number of attemps (and prevent knocking on other ports too).
>
> Yubikey as 2FA is pretty nice too.
>
> -------- Original message --------
> From: Bruce Dawson <jbd at codemeta.com>
> Date: 6/11/17 10:58 AM (GMT-05:00)
> To: gnhlug-discuss at mail.gnhlug.org
> Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?
>
> sshguard takes care of most of them (especially the high bandwidth ones).
>
> The black hats don't care - they're looking for vulnerable systems. If
> they find one, they'll exploit it (or not).
>
> Note that a while ago (more than a few years), comcast used to probe
> systems to see if they're vulnerable. Either they don't do that any
> more, or contract it out because I haven't see probes from any of their
> systems in years. This probably holds true for other ISPs, and various
> intelligence agencies in the world - both private and public, not to
> mention various disreputable enterprises.
>
> --Bruce
>
>
> On 06/11/2017 10:17 AM, Ted Roche wrote:
>> For 36 hours now, one of my clients' servers has been logging ssh
>> login attempts from around the world, low volume, persistent, but more
>> frequent than usual. sshd is listening on a non-standard port, just to
>> minimize the garbage in the logs.
>>
>> A couple of attempts is normal; we've seen that for years. But this is
>> several each hour, and each hour an IP from a different country:
>> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>>
>> There's several levels of defense in use: firewalls, intrusion
>> detection, log monitoring, etc, so each script gets a few guesses and
>> the IP is then rejected.
>>
>> In theory, the defenses should be sufficient, but I have a concern
>> that I'm missing their strategy here. It's not a DDOS, they are very
>> low volume. It will take them several millennia to guess enough
>> dictionary attack guesses to get through, so what's the point?
>>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
More information about the gnhlug-discuss
mailing list