OSDev.org

The Place to Start for Operating System Developers
It is currently Tue Sep 17, 2019 3:03 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: login attempts via ssh
PostPosted: Mon Feb 09, 2009 11:06 pm 
Offline
Site Admin
User avatar

Joined: Wed Oct 20, 2004 10:46 pm
Posts: 665
Location: Texas
Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/

Code:
sshd: 209.67.233.120
sshd: 69.7.207.250
sshd: 91.194.84.41
sshd: 61.137.188.181
sshd: 213.85.255.223
sshd: 201.47.187.138
sshd: 218.75.172.172
sshd: 213.194.99.219
sshd: 60.251.166.130
sshd: 200.60.36.230
sshd: 202.65.218.5
sshd: 210.77.146.53
sshd: 125.22.251.138
sshd: 140.138.144.217
sshd: 58.196.13.14
sshd: 200.74.160.178
sshd: 211.171.245.154
sshd: 203.156.140.99
sshd: 210.154.182.227
sshd: 203.101.45.152
sshd: 64.212.184.218
sshd: 65.197.251.22
sshd: 218.8.52.7
sshd: 218.84.26.250
sshd: 200.107.251.34
sshd: 210.140.188.188
sshd: 85.14.180.2
sshd: 206.80.69.5
sshd: 202.106.62.21
sshd: 61.152.132.27
sshd: 203.117.89.75
sshd: 211.56.174.168
sshd: 89.185.228.138
sshd: 59.124.57.150
sshd: 82.49.209.27
sshd: 190.34.166.210
sshd: 132.216.35.26
sshd: 217.136.171.187
sshd: 58.213.125.25
sshd: 64.169.10.19
sshd: 58.222.11.2
sshd: 89.21.131.124
sshd: 61.206.120.4
sshd: 147.46.222.67
sshd: 201.232.149.179
sshd: 163.21.187.99
sshd: 64.76.19.236
sshd: 212.34.139.149
sshd: 216.177.130.50
sshd: 147.46.123.252
sshd: 61.108.210.11
sshd: 219.237.242.188
sshd: 200.42.227.44
sshd: 200.131.252.2
sshd: 66.236.248.139
sshd: 189.44.186.85
sshd: 203.188.159.61
sshd: 218.57.136.148
sshd: 202.213.211.16
sshd: 200.67.79.212
sshd: 192.192.12.73
sshd: 123.233.245.226
sshd: 210.176.56.52
sshd: 81.236.17.62
sshd: 24.102.40.249
sshd: 222.66.236.102
sshd: 70.38.38.72
sshd: 85.93.15.131
sshd: 117.28.224.71
sshd: 218.106.205.109
sshd: 222.92.30.12
sshd: 218.197.176.17
sshd: 122.128.96.6
sshd: 122.155.0.70
sshd: 190.12.46.214
sshd: 206.156.254.4
sshd: 222.237.79.139
sshd: 212.202.98.42
sshd: 70.99.70.46
sshd: 221.133.39.82
sshd: 218.16.239.244
sshd: 219.140.253.194
sshd: 211.174.180.4
sshd: 210.48.150.102
sshd: 200.30.136.146
sshd: 220.178.30.233
sshd: 118.69.211.2
sshd: 203.95.104.21
sshd: 65.38.111.171
sshd: 222.128.197.3
sshd: 210.69.31.130
sshd: 123.140.221.138
sshd: 203.248.34.48
sshd: 116.66.203.202
sshd: 60.31.211.194
sshd: 195.220.104.75
sshd: 221.238.193.71
sshd: 202.100.91.165
sshd: 203.187.161.42
sshd: 202.105.49.16
sshd: 122.193.4.115
sshd: 208.67.34.74
sshd: 88.191.25.32
sshd: 132.248.145.179
sshd: 210.18.82.151
sshd: 218.241.177.241
sshd: 163.27.236.2
sshd: 217.70.52.189
sshd: 122.193.4.5
sshd: 67.168.45.156
sshd: 216.16.72.43
sshd: 67.15.127.6
sshd: 62.58.108.127
sshd: 119.70.154.57
sshd: 203.130.1.84
sshd: 88.191.42.2
sshd: 59.185.104.218
sshd: 58.53.192.47
sshd: 208.68.193.51
sshd: 220.90.135.173
sshd: 58.253.67.58
sshd: 219.237.213.239
sshd: 118.143.232.21
sshd: 222.35.78.228
sshd: 202.117.3.100
sshd: 66.238.27.105
sshd: 72.3.142.4
sshd: 85.25.249.189
sshd: 217.133.71.145
sshd: 202.122.19.23
sshd: 68.15.205.76
sshd: 86.55.3.8
sshd: 201.245.179.115
sshd: 65.24.211.75
sshd: 219.246.112.241
sshd: 219.142.114.254
sshd: 60.18.147.45
sshd: 61.237.15.202
sshd: 201.116.169.43
sshd: 121.240.155.135
sshd: 218.60.34.8
sshd: 61.164.112.27
sshd: 83.15.104.4
sshd: 200.111.145.42
sshd: 125.93.184.74
sshd: 18.58.2.204
sshd: 124.207.150.66
sshd: 77.79.229.218
sshd: 88.191.75.232
sshd: 59.27.92.26
sshd: 67.91.202.81
sshd: 85.17.87.133
sshd: 218.22.67.123
sshd: 203.113.33.161
sshd: 213.30.139.75
sshd: 64.79.219.196
sshd: 60.217.234.152
sshd: 222.35.143.63
sshd: 221.7.151.133


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 12:19 am 
Offline
Member
Member

Joined: Fri Aug 01, 2008 7:52 am
Posts: 248
chase wrote:
Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/

Code:
sshd: 209.67.233.120
sshd: 69.7.207.250
sshd: 91.194.84.41
sshd: 61.137.188.181
sshd: 213.85.255.223
sshd: 201.47.187.138
sshd: 218.75.172.172
sshd: 213.194.99.219
sshd: 60.251.166.130
sshd: 200.60.36.230
sshd: 202.65.218.5
sshd: 210.77.146.53
sshd: 125.22.251.138
sshd: 140.138.144.217
sshd: 58.196.13.14
sshd: 200.74.160.178
sshd: 211.171.245.154
sshd: 203.156.140.99
sshd: 210.154.182.227
sshd: 203.101.45.152
sshd: 64.212.184.218
sshd: 65.197.251.22
sshd: 218.8.52.7
sshd: 218.84.26.250
sshd: 200.107.251.34
sshd: 210.140.188.188
sshd: 85.14.180.2
sshd: 206.80.69.5
sshd: 202.106.62.21
sshd: 61.152.132.27
sshd: 203.117.89.75
sshd: 211.56.174.168
sshd: 89.185.228.138
sshd: 59.124.57.150
sshd: 82.49.209.27
sshd: 190.34.166.210
sshd: 132.216.35.26
sshd: 217.136.171.187
sshd: 58.213.125.25
sshd: 64.169.10.19
sshd: 58.222.11.2
sshd: 89.21.131.124
sshd: 61.206.120.4
sshd: 147.46.222.67
sshd: 201.232.149.179
sshd: 163.21.187.99
sshd: 64.76.19.236
sshd: 212.34.139.149
sshd: 216.177.130.50
sshd: 147.46.123.252
sshd: 61.108.210.11
sshd: 219.237.242.188
sshd: 200.42.227.44
sshd: 200.131.252.2
sshd: 66.236.248.139
sshd: 189.44.186.85
sshd: 203.188.159.61
sshd: 218.57.136.148
sshd: 202.213.211.16
sshd: 200.67.79.212
sshd: 192.192.12.73
sshd: 123.233.245.226
sshd: 210.176.56.52
sshd: 81.236.17.62
sshd: 24.102.40.249
sshd: 222.66.236.102
sshd: 70.38.38.72
sshd: 85.93.15.131
sshd: 117.28.224.71
sshd: 218.106.205.109
sshd: 222.92.30.12
sshd: 218.197.176.17
sshd: 122.128.96.6
sshd: 122.155.0.70
sshd: 190.12.46.214
sshd: 206.156.254.4
sshd: 222.237.79.139
sshd: 212.202.98.42
sshd: 70.99.70.46
sshd: 221.133.39.82
sshd: 218.16.239.244
sshd: 219.140.253.194
sshd: 211.174.180.4
sshd: 210.48.150.102
sshd: 200.30.136.146
sshd: 220.178.30.233
sshd: 118.69.211.2
sshd: 203.95.104.21
sshd: 65.38.111.171
sshd: 222.128.197.3
sshd: 210.69.31.130
sshd: 123.140.221.138
sshd: 203.248.34.48
sshd: 116.66.203.202
sshd: 60.31.211.194
sshd: 195.220.104.75
sshd: 221.238.193.71
sshd: 202.100.91.165
sshd: 203.187.161.42
sshd: 202.105.49.16
sshd: 122.193.4.115
sshd: 208.67.34.74
sshd: 88.191.25.32
sshd: 132.248.145.179
sshd: 210.18.82.151
sshd: 218.241.177.241
sshd: 163.27.236.2
sshd: 217.70.52.189
sshd: 122.193.4.5
sshd: 67.168.45.156
sshd: 216.16.72.43
sshd: 67.15.127.6
sshd: 62.58.108.127
sshd: 119.70.154.57
sshd: 203.130.1.84
sshd: 88.191.42.2
sshd: 59.185.104.218
sshd: 58.53.192.47
sshd: 208.68.193.51
sshd: 220.90.135.173
sshd: 58.253.67.58
sshd: 219.237.213.239
sshd: 118.143.232.21
sshd: 222.35.78.228
sshd: 202.117.3.100
sshd: 66.238.27.105
sshd: 72.3.142.4
sshd: 85.25.249.189
sshd: 217.133.71.145
sshd: 202.122.19.23
sshd: 68.15.205.76
sshd: 86.55.3.8
sshd: 201.245.179.115
sshd: 65.24.211.75
sshd: 219.246.112.241
sshd: 219.142.114.254
sshd: 60.18.147.45
sshd: 61.237.15.202
sshd: 201.116.169.43
sshd: 121.240.155.135
sshd: 218.60.34.8
sshd: 61.164.112.27
sshd: 83.15.104.4
sshd: 200.111.145.42
sshd: 125.93.184.74
sshd: 18.58.2.204
sshd: 124.207.150.66
sshd: 77.79.229.218
sshd: 88.191.75.232
sshd: 59.27.92.26
sshd: 67.91.202.81
sshd: 85.17.87.133
sshd: 218.22.67.123
sshd: 203.113.33.161
sshd: 213.30.139.75
sshd: 64.79.219.196
sshd: 60.217.234.152
sshd: 222.35.143.63
sshd: 221.7.151.133


Hi, chase, good to see you here :D .
at least i can't see the IP address start from the IP address range of my ISP :) .
maybe they are bots, or even botnets...


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 1:50 am 
Offline
Member
Member
User avatar

Joined: Wed Oct 18, 2006 3:45 am
Posts: 9284
Location: On the balcony, watching the Swedish Chef
I'm pretty sure it's a botnet.

Looking at my auth.log, i see 120 login attempts within 15 minutes, with failed user names that most likely come from a dictionary (and that's just the first instance of it, my log is 600k lines, the majority describing dictionary attacks).

Good thing I keep strong passwords :D

_________________
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 1:58 am 
Offline
Member
Member

Joined: Wed Jul 25, 2007 8:45 am
Posts: 391
Location: York, UK
Do you change the SSH port from the default? That's one of the first things I do when configuring a server - and I hardly ever get any login attempts.

_________________
http://alex-smith.me.uk


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 2:17 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7412
Location: Germany
Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.

What I do to secure SSH is not changing the port (which is a nuisance for authorized users as well) is, in /etc/ssh/sshd_config:

Code:
PermitRootLogin no
ChallengeResponseAuthentication no
AllowUsers solar,...


This means logins to root / postmaster / admin are automatically declined, and allowed users require a SSH Pubkey to log in. No problems with weak passwords and wordfile attacks anymore. The chances to correctly guess a pubkey in 3 attempts (before denyhosts kicks in) are astronomical...

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 2:56 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2631
Location: Devon, UK
Solar wrote:
Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.


Same here. Pity you can't let the attempted cracker know that you are aware of the attempts :twisted:

This has got me concerned. Currently at home I just use a Vista laptop which is behind an NAT router and is only on when its in use. At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research :?

Cheers,
Adam


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 3:44 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7412
Location: Germany
AJ wrote:
At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research :?



_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 4:20 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2631
Location: Devon, UK
Nice link, thanks. Gentoo does have some very nicely written documentation.

Cheers,
Adam


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Tue Feb 10, 2009 8:41 pm 
Offline
Member
Member
User avatar

Joined: Tue Oct 17, 2006 9:29 pm
Posts: 2423
Location: Canada
An exposed ssh server should not allow password authentication, public key only.

_________________
Image
Twitter: @canadianbryan. Award by smcerm, I stole it. Original was larger.
UNIX&BSD's, your only aspirations, to be imitated! 8)
Windows, are an opening in an otherwise solid and opaque surface through which light and, sometimes, even air can pass through; nothing more.


Top
 Profile  
 
 Post subject: Re: login attempts via ssh
PostPosted: Thu Feb 12, 2009 12:52 am 
Offline
Member
Member
User avatar

Joined: Fri Jun 22, 2007 12:47 pm
Posts: 1598
Location: New Hampshire, USA
I disagree.

I good username/password combo with a strict failed password attempt maximum is very effective. Also, disallowing empty passwords and only allowing specific users to be able to be used will reduce attack effectiveness quite a bit.

I know it's security through obscurity, but changing the port does remove alot of annoying bot attempts from filling the logs.

_________________
Website: https://Joscor.com


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group