invalid ssh attempts
This is a discussion on invalid ssh attempts within the Linux Security forums, part of the System Security and Security Related category; Is it unusual to get attempted ssh logins almost every day for months? Example: Jul 7 03:40:50 hp1 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-05-2005
|
|||
|
|||
Re: invalid ssh attempts
John Sandell wrote:
> Is it unusual to get attempted ssh logins almost every day for months? > > Example: > > Jul 7 03:40:50 hp1 sshd[22604]: Invalid user zulgaftp from > ::ffff:212.37.192.44 > > > That day, there were 5667 attempts... > > Is this common? > > John Sandell I have seen some attempts to connect to the port but not quite on that scale. Others mileage might vary. 
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
John Sandell wrote:
> Is it unusual to get attempted ssh logins almost every day for months? > > Example: > > Jul 7 03:40:50 hp1 sshd[22604]: Invalid user zulgaftp from > ::ffff:212.37.192.44 > > > That day, there were 5667 attempts... > > Is this common? Well, it's not uncommon. You might want to give some thought to restricting access via tcpwrappers etc. to a specific range of IP addresses, if possible.
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
John Sandell <jsandell@att.net> wrote in
news:oCNkf.224933$zb5.185697@bgtnsc04-news.ops.worldnet.att.net: > > Is it unusual to get attempted ssh logins almost every day for months? > > Example: > > Jul 7 03:40:50 hp1 sshd[22604]: Invalid user zulgaftp from >::ffff:212.37.192.44 > > That day, there were 5667 attempts... About average for a /24 block. Some days more, some days less. Definitely unusually high for a single address. If these boxes are all on linux systems you might try the ":recent" feature of iptables to block offending addresses for a period of time after a few tries. I'm still trying to figure out how they came up with a few of the account names the worm is trying. Not exactly your every day names. mungo ------------ The backhoe is the natural predator of the fiber optic cable.
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
John Sandell <jsandell@att.net> writes:
>Is it unusual to get attempted ssh logins almost every day for months? >Example: >Jul 7 03:40:50 hp1 sshd[22604]: Invalid user zulgaftp from >::ffff:212.37.192.44 >That day, there were 5667 attempts... >Is this common? Yes. The latest game is to throw logon attempts at ssh with weak passwords, hoping that someone somewhere left a hole in their ssh. It is usual to get 5000 attempts per day. >John Sandell
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
John Sandell said the following on 2005-12-05 03:29:
> Is it unusual to get attempted ssh logins almost every day for months? No. > Example: > > Jul 7 03:40:50 hp1 sshd[22604]: Invalid user zulgaftp from > ::ffff:212.37.192.44 > > That day, there were 5667 attempts... > > Is this common? Yes. -- Jon Solberg (remove "nospam" from email address).
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
Unruh wrote:
> John Sandell <jsandell@att.net> writes: > > > >>Is it unusual to get attempted ssh logins almost every day for months? > > >>Example: > > >>Jul 7 03:40:50 hp1 sshd[22604]: Invalid user zulgaftp from >>::ffff:212.37.192.44 > > > >>That day, there were 5667 attempts... > > >>Is this common? > > > Yes. The latest game is to throw logon attempts at ssh with weak passwords, > hoping that someone somewhere left a hole in their ssh. > It is usual to get 5000 attempts per day. So a good idea would be to put a delay between retries from the one site as someone above suggested?
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
On Mon, 05 Dec 2005 06:42:40 GMT, Mungo <reallydontmail@me.com> wrote:
>I'm still trying to figure out how they came up with a few of the account >names the worm is trying. Not exactly your every day names. Indeed - either a couple of the script kiddies made EXTREMELY lucky guesses, or they somehow gained some sort of information regarding the valid usernames on my system. BTW, I heartily second the use of the "recent" option in iptables - it has virtually eliminated the brute-force SSH attacks.
|
|
12-05-2005
|
|||
|
|||
|
Re: invalid ssh attempts
On Tue, 06 Dec 2005 02:15:53 +1100, Jan Pompe wrote:
> Unruh wrote: >> John Sandell <jsandell@att.net> writes: >>>Is this common? >> >> Yes. The latest game is to throw logon attempts at ssh with weak passwords, >> hoping that someone somewhere left a hole in their ssh. >> It is usual to get 5000 attempts per day. > > So a good idea would be to put a delay between retries from the one site > as someone above suggested? I'd think so. If the system supports PAM, maybe also for usernames: http://www-uxsup.csx.cam.ac.uk/~pjb1...ect/pam_delay/ -- -Menno.
|
Linear Mode
