login attempts via ssh

Questions, comments, and suggestions about this site should go here.
Post Reply
User avatar
chase
Site Admin
Posts: 694
Joined: Wed Oct 20, 2004 10:46 pm
Location: Texas
Contact:
Contact chase

login attempts via ssh

Post by chase »

Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/

Code: Select all

sshd: 209.67.233.120
sshd: 69.7.207.250
sshd: 91.194.84.41
sshd: 61.137.188.181
sshd: 213.85.255.223
sshd: 201.47.187.138
sshd: 218.75.172.172
sshd: 213.194.99.219
sshd: 60.251.166.130
sshd: 200.60.36.230
sshd: 202.65.218.5
sshd: 210.77.146.53
sshd: 125.22.251.138
sshd: 140.138.144.217
sshd: 58.196.13.14
sshd: 200.74.160.178
sshd: 211.171.245.154
sshd: 203.156.140.99
sshd: 210.154.182.227
sshd: 203.101.45.152
sshd: 64.212.184.218
sshd: 65.197.251.22
sshd: 218.8.52.7
sshd: 218.84.26.250
sshd: 200.107.251.34
sshd: 210.140.188.188
sshd: 85.14.180.2
sshd: 206.80.69.5
sshd: 202.106.62.21
sshd: 61.152.132.27
sshd: 203.117.89.75
sshd: 211.56.174.168
sshd: 89.185.228.138
sshd: 59.124.57.150
sshd: 82.49.209.27
sshd: 190.34.166.210
sshd: 132.216.35.26
sshd: 217.136.171.187
sshd: 58.213.125.25
sshd: 64.169.10.19
sshd: 58.222.11.2
sshd: 89.21.131.124
sshd: 61.206.120.4
sshd: 147.46.222.67
sshd: 201.232.149.179
sshd: 163.21.187.99
sshd: 64.76.19.236
sshd: 212.34.139.149
sshd: 216.177.130.50
sshd: 147.46.123.252
sshd: 61.108.210.11
sshd: 219.237.242.188
sshd: 200.42.227.44
sshd: 200.131.252.2
sshd: 66.236.248.139
sshd: 189.44.186.85
sshd: 203.188.159.61
sshd: 218.57.136.148
sshd: 202.213.211.16
sshd: 200.67.79.212
sshd: 192.192.12.73
sshd: 123.233.245.226
sshd: 210.176.56.52
sshd: 81.236.17.62
sshd: 24.102.40.249
sshd: 222.66.236.102
sshd: 70.38.38.72
sshd: 85.93.15.131
sshd: 117.28.224.71
sshd: 218.106.205.109
sshd: 222.92.30.12
sshd: 218.197.176.17
sshd: 122.128.96.6
sshd: 122.155.0.70
sshd: 190.12.46.214
sshd: 206.156.254.4
sshd: 222.237.79.139
sshd: 212.202.98.42
sshd: 70.99.70.46
sshd: 221.133.39.82
sshd: 218.16.239.244
sshd: 219.140.253.194
sshd: 211.174.180.4
sshd: 210.48.150.102
sshd: 200.30.136.146
sshd: 220.178.30.233
sshd: 118.69.211.2
sshd: 203.95.104.21
sshd: 65.38.111.171
sshd: 222.128.197.3
sshd: 210.69.31.130
sshd: 123.140.221.138
sshd: 203.248.34.48
sshd: 116.66.203.202
sshd: 60.31.211.194
sshd: 195.220.104.75
sshd: 221.238.193.71
sshd: 202.100.91.165
sshd: 203.187.161.42
sshd: 202.105.49.16
sshd: 122.193.4.115
sshd: 208.67.34.74
sshd: 88.191.25.32
sshd: 132.248.145.179
sshd: 210.18.82.151
sshd: 218.241.177.241
sshd: 163.27.236.2
sshd: 217.70.52.189
sshd: 122.193.4.5
sshd: 67.168.45.156
sshd: 216.16.72.43
sshd: 67.15.127.6
sshd: 62.58.108.127
sshd: 119.70.154.57
sshd: 203.130.1.84
sshd: 88.191.42.2
sshd: 59.185.104.218
sshd: 58.53.192.47
sshd: 208.68.193.51
sshd: 220.90.135.173
sshd: 58.253.67.58
sshd: 219.237.213.239
sshd: 118.143.232.21
sshd: 222.35.78.228
sshd: 202.117.3.100
sshd: 66.238.27.105
sshd: 72.3.142.4
sshd: 85.25.249.189
sshd: 217.133.71.145
sshd: 202.122.19.23
sshd: 68.15.205.76
sshd: 86.55.3.8
sshd: 201.245.179.115
sshd: 65.24.211.75
sshd: 219.246.112.241
sshd: 219.142.114.254
sshd: 60.18.147.45
sshd: 61.237.15.202
sshd: 201.116.169.43
sshd: 121.240.155.135
sshd: 218.60.34.8
sshd: 61.164.112.27
sshd: 83.15.104.4
sshd: 200.111.145.42
sshd: 125.93.184.74
sshd: 18.58.2.204
sshd: 124.207.150.66
sshd: 77.79.229.218
sshd: 88.191.75.232
sshd: 59.27.92.26
sshd: 67.91.202.81
sshd: 85.17.87.133
sshd: 218.22.67.123
sshd: 203.113.33.161
sshd: 213.30.139.75
sshd: 64.79.219.196
sshd: 60.217.234.152
sshd: 222.35.143.63
sshd: 221.7.151.133
Top
eddyb
Member
Member
Posts: 248
Joined: Fri Aug 01, 2008 7:52 am

Re: login attempts via ssh

Post by eddyb »

chase wrote:Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/

Code: Select all

sshd: 209.67.233.120
sshd: 69.7.207.250
sshd: 91.194.84.41
sshd: 61.137.188.181
sshd: 213.85.255.223
sshd: 201.47.187.138
sshd: 218.75.172.172
sshd: 213.194.99.219
sshd: 60.251.166.130
sshd: 200.60.36.230
sshd: 202.65.218.5
sshd: 210.77.146.53
sshd: 125.22.251.138
sshd: 140.138.144.217
sshd: 58.196.13.14
sshd: 200.74.160.178
sshd: 211.171.245.154
sshd: 203.156.140.99
sshd: 210.154.182.227
sshd: 203.101.45.152
sshd: 64.212.184.218
sshd: 65.197.251.22
sshd: 218.8.52.7
sshd: 218.84.26.250
sshd: 200.107.251.34
sshd: 210.140.188.188
sshd: 85.14.180.2
sshd: 206.80.69.5
sshd: 202.106.62.21
sshd: 61.152.132.27
sshd: 203.117.89.75
sshd: 211.56.174.168
sshd: 89.185.228.138
sshd: 59.124.57.150
sshd: 82.49.209.27
sshd: 190.34.166.210
sshd: 132.216.35.26
sshd: 217.136.171.187
sshd: 58.213.125.25
sshd: 64.169.10.19
sshd: 58.222.11.2
sshd: 89.21.131.124
sshd: 61.206.120.4
sshd: 147.46.222.67
sshd: 201.232.149.179
sshd: 163.21.187.99
sshd: 64.76.19.236
sshd: 212.34.139.149
sshd: 216.177.130.50
sshd: 147.46.123.252
sshd: 61.108.210.11
sshd: 219.237.242.188
sshd: 200.42.227.44
sshd: 200.131.252.2
sshd: 66.236.248.139
sshd: 189.44.186.85
sshd: 203.188.159.61
sshd: 218.57.136.148
sshd: 202.213.211.16
sshd: 200.67.79.212
sshd: 192.192.12.73
sshd: 123.233.245.226
sshd: 210.176.56.52
sshd: 81.236.17.62
sshd: 24.102.40.249
sshd: 222.66.236.102
sshd: 70.38.38.72
sshd: 85.93.15.131
sshd: 117.28.224.71
sshd: 218.106.205.109
sshd: 222.92.30.12
sshd: 218.197.176.17
sshd: 122.128.96.6
sshd: 122.155.0.70
sshd: 190.12.46.214
sshd: 206.156.254.4
sshd: 222.237.79.139
sshd: 212.202.98.42
sshd: 70.99.70.46
sshd: 221.133.39.82
sshd: 218.16.239.244
sshd: 219.140.253.194
sshd: 211.174.180.4
sshd: 210.48.150.102
sshd: 200.30.136.146
sshd: 220.178.30.233
sshd: 118.69.211.2
sshd: 203.95.104.21
sshd: 65.38.111.171
sshd: 222.128.197.3
sshd: 210.69.31.130
sshd: 123.140.221.138
sshd: 203.248.34.48
sshd: 116.66.203.202
sshd: 60.31.211.194
sshd: 195.220.104.75
sshd: 221.238.193.71
sshd: 202.100.91.165
sshd: 203.187.161.42
sshd: 202.105.49.16
sshd: 122.193.4.115
sshd: 208.67.34.74
sshd: 88.191.25.32
sshd: 132.248.145.179
sshd: 210.18.82.151
sshd: 218.241.177.241
sshd: 163.27.236.2
sshd: 217.70.52.189
sshd: 122.193.4.5
sshd: 67.168.45.156
sshd: 216.16.72.43
sshd: 67.15.127.6
sshd: 62.58.108.127
sshd: 119.70.154.57
sshd: 203.130.1.84
sshd: 88.191.42.2
sshd: 59.185.104.218
sshd: 58.53.192.47
sshd: 208.68.193.51
sshd: 220.90.135.173
sshd: 58.253.67.58
sshd: 219.237.213.239
sshd: 118.143.232.21
sshd: 222.35.78.228
sshd: 202.117.3.100
sshd: 66.238.27.105
sshd: 72.3.142.4
sshd: 85.25.249.189
sshd: 217.133.71.145
sshd: 202.122.19.23
sshd: 68.15.205.76
sshd: 86.55.3.8
sshd: 201.245.179.115
sshd: 65.24.211.75
sshd: 219.246.112.241
sshd: 219.142.114.254
sshd: 60.18.147.45
sshd: 61.237.15.202
sshd: 201.116.169.43
sshd: 121.240.155.135
sshd: 218.60.34.8
sshd: 61.164.112.27
sshd: 83.15.104.4
sshd: 200.111.145.42
sshd: 125.93.184.74
sshd: 18.58.2.204
sshd: 124.207.150.66
sshd: 77.79.229.218
sshd: 88.191.75.232
sshd: 59.27.92.26
sshd: 67.91.202.81
sshd: 85.17.87.133
sshd: 218.22.67.123
sshd: 203.113.33.161
sshd: 213.30.139.75
sshd: 64.79.219.196
sshd: 60.217.234.152
sshd: 222.35.143.63
sshd: 221.7.151.133


Hi, chase, good to see you here :D .
at least i can't see the IP address start from the IP address range of my ISP :) .
maybe they are bots, or even botnets...
Top
User avatar
Combuster
Member
Member
Posts: 9301
Joined: Wed Oct 18, 2006 3:45 am
Freenode IRC: [com]buster
Location: On the balcony, where I can actually keep 1½m distance
Contact:
Contact Combuster

Re: login attempts via ssh

Post by Combuster »

I'm pretty sure it's a botnet.

Looking at my auth.log, i see 120 login attempts within 15 minutes, with failed user names that most likely come from a dictionary (and that's just the first instance of it, my log is 600k lines, the majority describing dictionary attacks).

Good thing I keep strong passwords :D
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]
Top
xyzzy
Member
Member
Posts: 391
Joined: Wed Jul 25, 2007 8:45 am
Freenode IRC: aejsmith
Location: London, UK
Contact:
Contact xyzzy

Re: login attempts via ssh

Post by xyzzy »

Do you change the SSH port from the default? That's one of the first things I do when configuring a server - and I hardly ever get any login attempts.
Top
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:
Contact Solar

Re: login attempts via ssh

Post by Solar »

Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.

What I do to secure SSH is not changing the port (which is a nuisance for authorized users as well) is, in /etc/ssh/sshd_config:

Code: Select all

PermitRootLogin no
ChallengeResponseAuthentication no
AllowUsers solar,...


This means logins to root / postmaster / admin are automatically declined, and allowed users require a SSH Pubkey to log in. No problems with weak passwords and wordfile attacks anymore. The chances to correctly guess a pubkey in 3 attempts (before denyhosts kicks in) are astronomical...
Every good solution is obvious once you've found it.
Top
User avatar
AJ
Member
Member
Posts: 2646
Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:
Contact AJ

Re: login attempts via ssh

Post by AJ »

Solar wrote:Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.


Same here. Pity you can't let the attempted cracker know that you are aware of the attempts :twisted:

This has got me concerned. Currently at home I just use a Vista laptop which is behind an NAT router and is only on when its in use. At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research :?

Cheers,
Adam
Top
User avatar
Solar
Member
Member
Posts: 7615
Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:
Contact Solar

Re: login attempts via ssh

Post by Solar »

AJ wrote:At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research :?


Every good solution is obvious once you've found it.
Top
User avatar
AJ
Member
Member
Posts: 2646
Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:
Contact AJ

Re: login attempts via ssh

Post by AJ »

Nice link, thanks. Gentoo does have some very nicely written documentation.

Cheers,
Adam
Top
User avatar
Brynet-Inc
Member
Member
Posts: 2426
Joined: Tue Oct 17, 2006 9:29 pm
Freenode IRC: brynet
Location: Canada
Contact:
Contact Brynet-Inc

Re: login attempts via ssh

Post by Brynet-Inc »

An exposed ssh server should not allow password authentication, public key only.
Image
Twitter: @canadianbryan. Award by smcerm, I stole it. Original was larger.
Top
User avatar
01000101
Member
Member
Posts: 1598
Joined: Fri Jun 22, 2007 12:47 pm
Location: New Hampshire, USA
Contact:
Contact 01000101

Re: login attempts via ssh

Post by 01000101 »

I disagree.

I good username/password combo with a strict failed password attempt maximum is very effective. Also, disallowing empty passwords and only allowing specific users to be able to be used will reduce attack effectiveness quite a bit.

I know it's security through obscurity, but changing the port does remove alot of annoying bot attempts from filling the logs.
Top
Post Reply

Return to “About this site”