[Tfug] Stopping repeated login attempts
Bexley Hall
bexley401 at yahoo.com
Wed Jan 27 16:14:14 MST 2010
Hi Adrian,
> > OK. I was just wondering if they would have given you a clue
> > as to how/why/when they targeted your machine (e.g., if
> > they harvested the names off a web page that you host, etc.)
>
> It is nothing specifically targeting a particular machine.
OK. So they ping addresses "at random" (i.e., sequentially :>)
and, for any that answer, see if there is a sshd running on *any*
port on the machine (since Louis said they re-found his sshd once
he moved it) and then just brute force that service?
> The scanning is being done by the "brutessh" script or a similar rehash.
> The script reads from a list of common and/or username/password
> combinations, somewhere between a few hundred and a 10,000, and
> sequentially tries each one. If the
So, good passwords will protect the machine but not stop the attacks.
Registering a ssh key for the source IP would be a big win. (?)
> script finds an open account it copies itself onto the
> compromised machine
> and starts another scan, the intent is to create a botnet
> of *nix machines.
Understood.
> The normal SSH daemon repeat failed login blocking does not
> work as the script does a new TCP connection for every login
> attempt, then resets the connection. The fail2ban and similar
If you started sshd from inetd and throttled it there, this
would at least be a quick way to limit the number of
attempts they could make per unit time.
> scripts track log entries looking for
> repeated connections and then manual ban them at the
> firewall.
Understood. So they don't even get *to* the machine.
More information about the tfug
mailing list