Questions, comments, and suggestions about this site should go here.
chase
Site Admin
Posts: 694 Joined: Wed Oct 20, 2004 10:46 pm
Location: Texas
Contact:
Post
by chase » Mon Feb 09, 2009 11:06 pm
Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using
http://denyhosts.sourceforge.net/ Code: Select all
sshd: 209.67.233.120 sshd: 69.7.207.250 sshd: 91.194.84.41 sshd: 61.137.188.181 sshd: 213.85.255.223 sshd: 201.47.187.138 sshd: 218.75.172.172 sshd: 213.194.99.219 sshd: 60.251.166.130 sshd: 200.60.36.230 sshd: 202.65.218.5 sshd: 210.77.146.53 sshd: 125.22.251.138 sshd: 140.138.144.217 sshd: 58.196.13.14 sshd: 200.74.160.178 sshd: 211.171.245.154 sshd: 203.156.140.99 sshd: 210.154.182.227 sshd: 203.101.45.152 sshd: 64.212.184.218 sshd: 65.197.251.22 sshd: 218.8.52.7 sshd: 218.84.26.250 sshd: 200.107.251.34 sshd: 210.140.188.188 sshd: 85.14.180.2 sshd: 206.80.69.5 sshd: 202.106.62.21 sshd: 61.152.132.27 sshd: 203.117.89.75 sshd: 211.56.174.168 sshd: 89.185.228.138 sshd: 59.124.57.150 sshd: 82.49.209.27 sshd: 190.34.166.210 sshd: 132.216.35.26 sshd: 217.136.171.187 sshd: 58.213.125.25 sshd: 64.169.10.19 sshd: 58.222.11.2 sshd: 89.21.131.124 sshd: 61.206.120.4 sshd: 147.46.222.67 sshd: 201.232.149.179 sshd: 163.21.187.99 sshd: 64.76.19.236 sshd: 212.34.139.149 sshd: 216.177.130.50 sshd: 147.46.123.252 sshd: 61.108.210.11 sshd: 219.237.242.188 sshd: 200.42.227.44 sshd: 200.131.252.2 sshd: 66.236.248.139 sshd: 189.44.186.85 sshd: 203.188.159.61 sshd: 218.57.136.148 sshd: 202.213.211.16 sshd: 200.67.79.212 sshd: 192.192.12.73 sshd: 123.233.245.226 sshd: 210.176.56.52 sshd: 81.236.17.62 sshd: 24.102.40.249 sshd: 222.66.236.102 sshd: 70.38.38.72 sshd: 85.93.15.131 sshd: 117.28.224.71 sshd: 218.106.205.109 sshd: 222.92.30.12 sshd: 218.197.176.17 sshd: 122.128.96.6 sshd: 122.155.0.70 sshd: 190.12.46.214 sshd: 206.156.254.4 sshd: 222.237.79.139 sshd: 212.202.98.42 sshd: 70.99.70.46 sshd: 221.133.39.82 sshd: 218.16.239.244 sshd: 219.140.253.194 sshd: 211.174.180.4 sshd: 210.48.150.102 sshd: 200.30.136.146 sshd: 220.178.30.233 sshd: 118.69.211.2 sshd: 203.95.104.21 sshd: 65.38.111.171 sshd: 222.128.197.3 sshd: 210.69.31.130 sshd: 123.140.221.138 sshd: 203.248.34.48 sshd: 116.66.203.202 sshd: 60.31.211.194 sshd: 195.220.104.75 sshd: 221.238.193.71 sshd: 202.100.91.165 sshd: 203.187.161.42 sshd: 202.105.49.16 sshd: 122.193.4.115 sshd: 208.67.34.74 sshd: 88.191.25.32 sshd: 132.248.145.179 sshd: 210.18.82.151 sshd: 218.241.177.241 sshd: 163.27.236.2 sshd: 217.70.52.189 sshd: 122.193.4.5 sshd: 67.168.45.156 sshd: 216.16.72.43 sshd: 67.15.127.6 sshd: 62.58.108.127 sshd: 119.70.154.57 sshd: 203.130.1.84 sshd: 88.191.42.2 sshd: 59.185.104.218 sshd: 58.53.192.47 sshd: 208.68.193.51 sshd: 220.90.135.173 sshd: 58.253.67.58 sshd: 219.237.213.239 sshd: 118.143.232.21 sshd: 222.35.78.228 sshd: 202.117.3.100 sshd: 66.238.27.105 sshd: 72.3.142.4 sshd: 85.25.249.189 sshd: 217.133.71.145 sshd: 202.122.19.23 sshd: 68.15.205.76 sshd: 86.55.3.8 sshd: 201.245.179.115 sshd: 65.24.211.75 sshd: 219.246.112.241 sshd: 219.142.114.254 sshd: 60.18.147.45 sshd: 61.237.15.202 sshd: 201.116.169.43 sshd: 121.240.155.135 sshd: 218.60.34.8 sshd: 61.164.112.27 sshd: 83.15.104.4 sshd: 200.111.145.42 sshd: 125.93.184.74 sshd: 18.58.2.204 sshd: 124.207.150.66 sshd: 77.79.229.218 sshd: 88.191.75.232 sshd: 59.27.92.26 sshd: 67.91.202.81 sshd: 85.17.87.133 sshd: 218.22.67.123 sshd: 203.113.33.161 sshd: 213.30.139.75 sshd: 64.79.219.196 sshd: 60.217.234.152 sshd: 222.35.143.63 sshd: 221.7.151.133
eddyb
Member
Posts: 248 Joined: Fri Aug 01, 2008 7:52 am
Post
by eddyb » Tue Feb 10, 2009 12:19 am
chase wrote: Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using
http://denyhosts.sourceforge.net/ Code: Select all
sshd: 209.67.233.120 sshd: 69.7.207.250 sshd: 91.194.84.41 sshd: 61.137.188.181 sshd: 213.85.255.223 sshd: 201.47.187.138 sshd: 218.75.172.172 sshd: 213.194.99.219 sshd: 60.251.166.130 sshd: 200.60.36.230 sshd: 202.65.218.5 sshd: 210.77.146.53 sshd: 125.22.251.138 sshd: 140.138.144.217 sshd: 58.196.13.14 sshd: 200.74.160.178 sshd: 211.171.245.154 sshd: 203.156.140.99 sshd: 210.154.182.227 sshd: 203.101.45.152 sshd: 64.212.184.218 sshd: 65.197.251.22 sshd: 218.8.52.7 sshd: 218.84.26.250 sshd: 200.107.251.34 sshd: 210.140.188.188 sshd: 85.14.180.2 sshd: 206.80.69.5 sshd: 202.106.62.21 sshd: 61.152.132.27 sshd: 203.117.89.75 sshd: 211.56.174.168 sshd: 89.185.228.138 sshd: 59.124.57.150 sshd: 82.49.209.27 sshd: 190.34.166.210 sshd: 132.216.35.26 sshd: 217.136.171.187 sshd: 58.213.125.25 sshd: 64.169.10.19 sshd: 58.222.11.2 sshd: 89.21.131.124 sshd: 61.206.120.4 sshd: 147.46.222.67 sshd: 201.232.149.179 sshd: 163.21.187.99 sshd: 64.76.19.236 sshd: 212.34.139.149 sshd: 216.177.130.50 sshd: 147.46.123.252 sshd: 61.108.210.11 sshd: 219.237.242.188 sshd: 200.42.227.44 sshd: 200.131.252.2 sshd: 66.236.248.139 sshd: 189.44.186.85 sshd: 203.188.159.61 sshd: 218.57.136.148 sshd: 202.213.211.16 sshd: 200.67.79.212 sshd: 192.192.12.73 sshd: 123.233.245.226 sshd: 210.176.56.52 sshd: 81.236.17.62 sshd: 24.102.40.249 sshd: 222.66.236.102 sshd: 70.38.38.72 sshd: 85.93.15.131 sshd: 117.28.224.71 sshd: 218.106.205.109 sshd: 222.92.30.12 sshd: 218.197.176.17 sshd: 122.128.96.6 sshd: 122.155.0.70 sshd: 190.12.46.214 sshd: 206.156.254.4 sshd: 222.237.79.139 sshd: 212.202.98.42 sshd: 70.99.70.46 sshd: 221.133.39.82 sshd: 218.16.239.244 sshd: 219.140.253.194 sshd: 211.174.180.4 sshd: 210.48.150.102 sshd: 200.30.136.146 sshd: 220.178.30.233 sshd: 118.69.211.2 sshd: 203.95.104.21 sshd: 65.38.111.171 sshd: 222.128.197.3 sshd: 210.69.31.130 sshd: 123.140.221.138 sshd: 203.248.34.48 sshd: 116.66.203.202 sshd: 60.31.211.194 sshd: 195.220.104.75 sshd: 221.238.193.71 sshd: 202.100.91.165 sshd: 203.187.161.42 sshd: 202.105.49.16 sshd: 122.193.4.115 sshd: 208.67.34.74 sshd: 88.191.25.32 sshd: 132.248.145.179 sshd: 210.18.82.151 sshd: 218.241.177.241 sshd: 163.27.236.2 sshd: 217.70.52.189 sshd: 122.193.4.5 sshd: 67.168.45.156 sshd: 216.16.72.43 sshd: 67.15.127.6 sshd: 62.58.108.127 sshd: 119.70.154.57 sshd: 203.130.1.84 sshd: 88.191.42.2 sshd: 59.185.104.218 sshd: 58.53.192.47 sshd: 208.68.193.51 sshd: 220.90.135.173 sshd: 58.253.67.58 sshd: 219.237.213.239 sshd: 118.143.232.21 sshd: 222.35.78.228 sshd: 202.117.3.100 sshd: 66.238.27.105 sshd: 72.3.142.4 sshd: 85.25.249.189 sshd: 217.133.71.145 sshd: 202.122.19.23 sshd: 68.15.205.76 sshd: 86.55.3.8 sshd: 201.245.179.115 sshd: 65.24.211.75 sshd: 219.246.112.241 sshd: 219.142.114.254 sshd: 60.18.147.45 sshd: 61.237.15.202 sshd: 201.116.169.43 sshd: 121.240.155.135 sshd: 218.60.34.8 sshd: 61.164.112.27 sshd: 83.15.104.4 sshd: 200.111.145.42 sshd: 125.93.184.74 sshd: 18.58.2.204 sshd: 124.207.150.66 sshd: 77.79.229.218 sshd: 88.191.75.232 sshd: 59.27.92.26 sshd: 67.91.202.81 sshd: 85.17.87.133 sshd: 218.22.67.123 sshd: 203.113.33.161 sshd: 213.30.139.75 sshd: 64.79.219.196 sshd: 60.217.234.152 sshd: 222.35.143.63 sshd: 221.7.151.133
Hi, chase, good to see you here
.
at least i can't see the IP address start from the IP address range of my ISP
.
maybe they are bots, or even botnets...
Combuster
Member
Posts: 9301 Joined: Wed Oct 18, 2006 3:45 am
Freenode IRC: [com]buster
Location: On the balcony, where I can actually keep 1½m distance
Contact:
Post
by Combuster » Tue Feb 10, 2009 1:50 am
I'm pretty sure it's a botnet.
Looking at my auth.log, i see 120 login attempts within 15 minutes, with failed user names that most likely come from a dictionary (and that's just the first instance of it, my log is 600k lines, the majority describing dictionary attacks).
Good thing I keep strong passwords
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[
My OS ] [
VDisk/SFS ]
xyzzy
Member
Posts: 391 Joined: Wed Jul 25, 2007 8:45 am
Freenode IRC: aejsmith
Location: London, UK
Contact:
Post
by xyzzy » Tue Feb 10, 2009 1:58 am
Do you change the SSH port from the default? That's one of the first things I do when configuring a server - and I hardly ever get any login attempts.
Solar
Member
Posts: 7615 Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:
Post
by Solar » Tue Feb 10, 2009 2:17 am
Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.
What
I do to secure SSH is not changing the port (which is a nuisance for
authorized users as well) is, in /etc/ssh/sshd_config:
Code: Select all
PermitRootLogin no ChallengeResponseAuthentication no AllowUsers solar,...
This means logins to root / postmaster / admin are automatically declined, and allowed users require a SSH Pubkey to log in. No problems with weak passwords and wordfile attacks anymore. The chances to correctly guess a pubkey in 3 attempts (before denyhosts kicks in) are astronomical...
Every good solution is obvious once you've found it.
AJ
Member
Posts: 2646 Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:
Post
by AJ » Tue Feb 10, 2009 2:56 am
Solar wrote: Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.
Same here. Pity you can't let the attempted cracker know that you are aware of the attempts
This has got me concerned. Currently at home I just use a Vista laptop which is behind an NAT router and is only on when its in use. At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research
Cheers,
Adam
Solar
Member
Posts: 7615 Joined: Thu Nov 16, 2006 12:01 pm
Location: Germany
Contact:
Post
by Solar » Tue Feb 10, 2009 3:44 am
AJ wrote: At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research
Every good solution is obvious once you've found it.
AJ
Member
Posts: 2646 Joined: Sun Oct 22, 2006 7:01 am
Location: Devon, UK
Contact:
Post
by AJ » Tue Feb 10, 2009 4:20 am
Nice link, thanks. Gentoo does have some very nicely written documentation. Cheers, Adam
Brynet-Inc
Member
Posts: 2426 Joined: Tue Oct 17, 2006 9:29 pm
Freenode IRC: brynet
Location: Canada
Contact:
Post
by Brynet-Inc » Tue Feb 10, 2009 8:41 pm
An exposed ssh server should not allow password authentication, public key only.
Twitter: @canadianbryan . Award by smcerm, I stole it. Original was larger.
01000101
Member
Posts: 1598 Joined: Fri Jun 22, 2007 12:47 pm
Location: New Hampshire, USA
Contact:
Post
by 01000101 » Thu Feb 12, 2009 12:52 am
I disagree. I good username/password combo with a strict failed password attempt maximum is very effective. Also, disallowing empty passwords and only allowing specific users to be able to be used will reduce attack effectiveness quite a bit. I know it's security through obscurity, but changing the port does remove alot of annoying bot attempts from filling the logs.