What's the strategy for bad guys guessing a few ssh passwords?
Dan Garthwaite
dan at garthwaite.org
Mon Jun 12 09:59:32 EDT 2017
If you can change the port number it does wonders against the script
kiddies.
Just remember to add the new port, restart sshd, then remove the old port.
:)
On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <tedroche at gmail.com> wrote:
> Thanks, all for the recommendations. I hadn't seen sshguard before;
> I'll give that a try.
>
> I do have Fail2Ban in place, and have customized a number of scripts,
> mostly for Apache (trying to invoke asp scripts on my LAMP server
> results in instaban, for example) and it is what it reporting the ssh
> login failures.
>
> I have always seen them, in the 10 years I've had this server running,
> but the frequency, periodicity and international variety (usually
> they're all China, Russian, Romania) seemed like there might be
> something else going on.
>
> Be careful out there.
>
> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <mkomarinski at wayga.org>
> wrote:
> > sshguard is really good since it'll drop in a iptables rule to block an
> IP
> > address after a number of attemps (and prevent knocking on other ports
> too).
> >
> > Yubikey as 2FA is pretty nice too.
> >
> > -------- Original message --------
> > From: Bruce Dawson <jbd at codemeta.com>
> > Date: 6/11/17 10:58 AM (GMT-05:00)
> > To: gnhlug-discuss at mail.gnhlug.org
> > Subject: Re: What's the strategy for bad guys guessing a few ssh
> passwords?
> >
> > sshguard takes care of most of them (especially the high bandwidth ones).
> >
> > The black hats don't care - they're looking for vulnerable systems. If
> > they find one, they'll exploit it (or not).
> >
> > Note that a while ago (more than a few years), comcast used to probe
> > systems to see if they're vulnerable. Either they don't do that any
> > more, or contract it out because I haven't see probes from any of their
> > systems in years. This probably holds true for other ISPs, and various
> > intelligence agencies in the world - both private and public, not to
> > mention various disreputable enterprises.
> >
> > --Bruce
> >
> >
> > On 06/11/2017 10:17 AM, Ted Roche wrote:
> >> For 36 hours now, one of my clients' servers has been logging ssh
> >> login attempts from around the world, low volume, persistent, but more
> >> frequent than usual. sshd is listening on a non-standard port, just to
> >> minimize the garbage in the logs.
> >>
> >> A couple of attempts is normal; we've seen that for years. But this is
> >> several each hour, and each hour an IP from a different country:
> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> >>
> >> There's several levels of defense in use: firewalls, intrusion
> >> detection, log monitoring, etc, so each script gets a few guesses and
> >> the IP is then rejected.
> >>
> >> In theory, the defenses should be sufficient, but I have a concern
> >> that I'm missing their strategy here. It's not a DDOS, they are very
> >> low volume. It will take them several millennia to guess enough
> >> dictionary attack guesses to get through, so what's the point?
> >>
> >
> > _______________________________________________
> > gnhlug-discuss mailing list
> > gnhlug-discuss at mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> > _______________________________________________
> > gnhlug-discuss mailing list
> > gnhlug-discuss at mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
>
>
>
> --
> Ted Roche
> Ted Roche & Associates, LLC
> http://www.tedroche.com
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20170612/5d5c6c03/attachment.html
More information about the gnhlug-discuss
mailing list