<div dir="ltr"><div><br></div><div>I always wonder what they're trying to get. <a href="https://krebsonsecurity.com/">https://krebsonsecurity.com</a> has lots of info on why they do it, what they do with it and how they make $$.</div><div><br></div><div>There's very few consequences to the attacker for "rattling the doorknob" compared to potential success.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <span dir="ltr"><<a href="mailto:tedroche@gmail.com" target="_blank">tedroche@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks, all for the recommendations. I hadn't seen sshguard before;<br>
I'll give that a try.<br>
<br>
I do have Fail2Ban in place, and have customized a number of scripts,<br>
mostly for Apache (trying to invoke asp scripts on my LAMP server<br>
results in instaban, for example) and it is what it reporting the ssh<br>
login failures.<br>
<br>
I have always seen them, in the 10 years I've had this server running,<br>
but the frequency, periodicity and international variety (usually<br>
they're all China, Russian, Romania) seemed like there might be<br>
something else going on.<br>
<br>
Be careful out there.<br>
<div class="HOEnZb"><div class="h5"><br>
On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <<a href="mailto:mkomarinski@wayga.org">mkomarinski@wayga.org</a>> wrote:<br>
> sshguard is really good since it'll drop in a iptables rule to block an IP<br>
> address after a number of attemps (and prevent knocking on other ports too).<br>
><br>
> Yubikey as 2FA is pretty nice too.<br>
><br>
> -------- Original message --------<br>
> From: Bruce Dawson <<a href="mailto:jbd@codemeta.com">jbd@codemeta.com</a>><br>
> Date: 6/11/17 10:58 AM (GMT-05:00)<br>
> To: <a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
> Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?<br>
><br>
> sshguard takes care of most of them (especially the high bandwidth ones).<br>
><br>
> The black hats don't care - they're looking for vulnerable systems. If<br>
> they find one, they'll exploit it (or not).<br>
><br>
> Note that a while ago (more than a few years), comcast used to probe<br>
> systems to see if they're vulnerable. Either they don't do that any<br>
> more, or contract it out because I haven't see probes from any of their<br>
> systems in years. This probably holds true for other ISPs, and various<br>
> intelligence agencies in the world - both private and public, not to<br>
> mention various disreputable enterprises.<br>
><br>
> --Bruce<br>
><br>
><br>
> On 06/11/2017 10:17 AM, Ted Roche wrote:<br>
>> For 36 hours now, one of my clients' servers has been logging ssh<br>
>> login attempts from around the world, low volume, persistent, but more<br>
>> frequent than usual. sshd is listening on a non-standard port, just to<br>
>> minimize the garbage in the logs.<br>
>><br>
>> A couple of attempts is normal; we've seen that for years. But this is<br>
>> several each hour, and each hour an IP from a different country:<br>
>> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,<br>
>> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.<br>
>><br>
>> There's several levels of defense in use: firewalls, intrusion<br>
>> detection, log monitoring, etc, so each script gets a few guesses and<br>
>> the IP is then rejected.<br>
>><br>
>> In theory, the defenses should be sufficient, but I have a concern<br>
>> that I'm missing their strategy here. It's not a DDOS, they are very<br>
>> low volume. It will take them several millennia to guess enough<br>
>> dictionary attack guesses to get through, so what's the point?<br>
>><br>
><br>
> ______________________________<wbr>_________________<br>
> gnhlug-discuss mailing list<br>
> <a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
> <a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
><br>
> ______________________________<wbr>_________________<br>
> gnhlug-discuss mailing list<br>
> <a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
> <a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
><br>
<br>
<br>
<br>
</div></div><span class="im HOEnZb">--<br>
Ted Roche<br>
Ted Roche & Associates, LLC<br>
<a href="http://www.tedroche.com" rel="noreferrer" target="_blank">http://www.tedroche.com</a><br>
</span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
gnhlug-discuss mailing list<br>
<a href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a><br>
<a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" rel="noreferrer" target="_blank">http://mail.gnhlug.org/<wbr>mailman/listinfo/gnhlug-<wbr>discuss/</a><br>
</div></div></blockquote></div><br></div>