[Tfug] Stopping repeated login attempts

Choprboy choprboy at dakotacom.net
Wed Jan 27 13:34:41 MST 2010


On Wednesday 27 January 2010 12:13, Bexley Hall wrote:
> Hi Louis,
>
> > No, they are not valid accounts.  The
> > attempts appear to just be just guesses on account names. 
>
> OK.  I was just wondering if they would have given you a clue
> as to how/why/when they targeted your machine (e.g., if
> they harvested the names off a web page that you host, etc.)
>
> --don


It is nothing specifically targeting a particular machine. The scanning is 
being done by the "brutessh" script or a similar rehash. The script reads 
from a list of common and/or username/password combinations, somewhere 
between a few hundred and a 10,000, and sequentially tries each one. If the 
script finds an open account it copies itself onto the compromised machine 
and starts another scan, the intent is to create a botnet of *nix machines.

The normal SSH daemon repeat failed login blocking does not work as the script 
does a new TCP connection for every login attempt, then resets the 
connection. The fail2ban and similar scripts track log entries looking for 
repeated connections and then manual ban them at the firewall. 


Adrian





More information about the tfug mailing list