DragonFly users List (threaded) for 2005-03
Re: Note to LEAF users on ssh logins
On Wed, 2005-03-02 at 19:23 -0800, Matthew Dillon wrote:
> Leaf and, in fact, all of my machines which have open ssh ports are getting
> random hack attempts, about 20-30 a day in short bursts, usually from a
> different IP address each day. I talked with a few sysop friends and
> their boxes are getting similar traffic. The hack attempts primarily
> try to ssh to root, admin, and a bunch of microsoft-soundy names. It looks
> fairly coordinated, like it is trying a couple of passwords a each day
> then trying again with different passwords the next day.
> While none of my machines allow passworded logins over ssh (especially
> not for root), and LEAF accounts are all '*'d out (key only logins),
> I am rather disquieted by the continuous attempts so I have written and
> intalled a little program to monitor the syslog which will automatically
> block failed password or illegal user login attempts.
> It isn't very refined yet so if you find yourself locked out of leaf
> send me an email!
> Matthew Dillon
These attacks are based on a silly brute-force exploit that has been
attacking miscellaneous SSH servers for years and has caused tons of
fuzz on various mailing lists. Basically, it simply tests user/user
combinations to log in. Perhaps there's a ``more sophisticated'' version
that is now doing dictionary attacks, but I don't think that's feasible
at 20 to 30 per day. FWIW, my server gets in the range of 100 - 300 per
day and has for about 5 or 6 months now.
However, since it's still a popular question on lists (I've heard
several questions about it recently, actually): would you post this
script somewhere so I can refer people to it when they ask? This is
usually the first thing asked for :)