OSDev.org https://forum.osdev.org/ |
|
login attempts via ssh https://forum.osdev.org/viewtopic.php?f=6&t=19137 |
Page 1 of 1 |
Author: | chase [ Mon Feb 09, 2009 11:06 pm ] |
Post subject: | login attempts via ssh |
Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/ Code: sshd: 209.67.233.120
sshd: 69.7.207.250 sshd: 91.194.84.41 sshd: 61.137.188.181 sshd: 213.85.255.223 sshd: 201.47.187.138 sshd: 218.75.172.172 sshd: 213.194.99.219 sshd: 60.251.166.130 sshd: 200.60.36.230 sshd: 202.65.218.5 sshd: 210.77.146.53 sshd: 125.22.251.138 sshd: 140.138.144.217 sshd: 58.196.13.14 sshd: 200.74.160.178 sshd: 211.171.245.154 sshd: 203.156.140.99 sshd: 210.154.182.227 sshd: 203.101.45.152 sshd: 64.212.184.218 sshd: 65.197.251.22 sshd: 218.8.52.7 sshd: 218.84.26.250 sshd: 200.107.251.34 sshd: 210.140.188.188 sshd: 85.14.180.2 sshd: 206.80.69.5 sshd: 202.106.62.21 sshd: 61.152.132.27 sshd: 203.117.89.75 sshd: 211.56.174.168 sshd: 89.185.228.138 sshd: 59.124.57.150 sshd: 82.49.209.27 sshd: 190.34.166.210 sshd: 132.216.35.26 sshd: 217.136.171.187 sshd: 58.213.125.25 sshd: 64.169.10.19 sshd: 58.222.11.2 sshd: 89.21.131.124 sshd: 61.206.120.4 sshd: 147.46.222.67 sshd: 201.232.149.179 sshd: 163.21.187.99 sshd: 64.76.19.236 sshd: 212.34.139.149 sshd: 216.177.130.50 sshd: 147.46.123.252 sshd: 61.108.210.11 sshd: 219.237.242.188 sshd: 200.42.227.44 sshd: 200.131.252.2 sshd: 66.236.248.139 sshd: 189.44.186.85 sshd: 203.188.159.61 sshd: 218.57.136.148 sshd: 202.213.211.16 sshd: 200.67.79.212 sshd: 192.192.12.73 sshd: 123.233.245.226 sshd: 210.176.56.52 sshd: 81.236.17.62 sshd: 24.102.40.249 sshd: 222.66.236.102 sshd: 70.38.38.72 sshd: 85.93.15.131 sshd: 117.28.224.71 sshd: 218.106.205.109 sshd: 222.92.30.12 sshd: 218.197.176.17 sshd: 122.128.96.6 sshd: 122.155.0.70 sshd: 190.12.46.214 sshd: 206.156.254.4 sshd: 222.237.79.139 sshd: 212.202.98.42 sshd: 70.99.70.46 sshd: 221.133.39.82 sshd: 218.16.239.244 sshd: 219.140.253.194 sshd: 211.174.180.4 sshd: 210.48.150.102 sshd: 200.30.136.146 sshd: 220.178.30.233 sshd: 118.69.211.2 sshd: 203.95.104.21 sshd: 65.38.111.171 sshd: 222.128.197.3 sshd: 210.69.31.130 sshd: 123.140.221.138 sshd: 203.248.34.48 sshd: 116.66.203.202 sshd: 60.31.211.194 sshd: 195.220.104.75 sshd: 221.238.193.71 sshd: 202.100.91.165 sshd: 203.187.161.42 sshd: 202.105.49.16 sshd: 122.193.4.115 sshd: 208.67.34.74 sshd: 88.191.25.32 sshd: 132.248.145.179 sshd: 210.18.82.151 sshd: 218.241.177.241 sshd: 163.27.236.2 sshd: 217.70.52.189 sshd: 122.193.4.5 sshd: 67.168.45.156 sshd: 216.16.72.43 sshd: 67.15.127.6 sshd: 62.58.108.127 sshd: 119.70.154.57 sshd: 203.130.1.84 sshd: 88.191.42.2 sshd: 59.185.104.218 sshd: 58.53.192.47 sshd: 208.68.193.51 sshd: 220.90.135.173 sshd: 58.253.67.58 sshd: 219.237.213.239 sshd: 118.143.232.21 sshd: 222.35.78.228 sshd: 202.117.3.100 sshd: 66.238.27.105 sshd: 72.3.142.4 sshd: 85.25.249.189 sshd: 217.133.71.145 sshd: 202.122.19.23 sshd: 68.15.205.76 sshd: 86.55.3.8 sshd: 201.245.179.115 sshd: 65.24.211.75 sshd: 219.246.112.241 sshd: 219.142.114.254 sshd: 60.18.147.45 sshd: 61.237.15.202 sshd: 201.116.169.43 sshd: 121.240.155.135 sshd: 218.60.34.8 sshd: 61.164.112.27 sshd: 83.15.104.4 sshd: 200.111.145.42 sshd: 125.93.184.74 sshd: 18.58.2.204 sshd: 124.207.150.66 sshd: 77.79.229.218 sshd: 88.191.75.232 sshd: 59.27.92.26 sshd: 67.91.202.81 sshd: 85.17.87.133 sshd: 218.22.67.123 sshd: 203.113.33.161 sshd: 213.30.139.75 sshd: 64.79.219.196 sshd: 60.217.234.152 sshd: 222.35.143.63 sshd: 221.7.151.133 |
Author: | eddyb [ Tue Feb 10, 2009 12:19 am ] |
Post subject: | Re: login attempts via ssh |
chase wrote: Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/ Code: sshd: 209.67.233.120 sshd: 69.7.207.250 sshd: 91.194.84.41 sshd: 61.137.188.181 sshd: 213.85.255.223 sshd: 201.47.187.138 sshd: 218.75.172.172 sshd: 213.194.99.219 sshd: 60.251.166.130 sshd: 200.60.36.230 sshd: 202.65.218.5 sshd: 210.77.146.53 sshd: 125.22.251.138 sshd: 140.138.144.217 sshd: 58.196.13.14 sshd: 200.74.160.178 sshd: 211.171.245.154 sshd: 203.156.140.99 sshd: 210.154.182.227 sshd: 203.101.45.152 sshd: 64.212.184.218 sshd: 65.197.251.22 sshd: 218.8.52.7 sshd: 218.84.26.250 sshd: 200.107.251.34 sshd: 210.140.188.188 sshd: 85.14.180.2 sshd: 206.80.69.5 sshd: 202.106.62.21 sshd: 61.152.132.27 sshd: 203.117.89.75 sshd: 211.56.174.168 sshd: 89.185.228.138 sshd: 59.124.57.150 sshd: 82.49.209.27 sshd: 190.34.166.210 sshd: 132.216.35.26 sshd: 217.136.171.187 sshd: 58.213.125.25 sshd: 64.169.10.19 sshd: 58.222.11.2 sshd: 89.21.131.124 sshd: 61.206.120.4 sshd: 147.46.222.67 sshd: 201.232.149.179 sshd: 163.21.187.99 sshd: 64.76.19.236 sshd: 212.34.139.149 sshd: 216.177.130.50 sshd: 147.46.123.252 sshd: 61.108.210.11 sshd: 219.237.242.188 sshd: 200.42.227.44 sshd: 200.131.252.2 sshd: 66.236.248.139 sshd: 189.44.186.85 sshd: 203.188.159.61 sshd: 218.57.136.148 sshd: 202.213.211.16 sshd: 200.67.79.212 sshd: 192.192.12.73 sshd: 123.233.245.226 sshd: 210.176.56.52 sshd: 81.236.17.62 sshd: 24.102.40.249 sshd: 222.66.236.102 sshd: 70.38.38.72 sshd: 85.93.15.131 sshd: 117.28.224.71 sshd: 218.106.205.109 sshd: 222.92.30.12 sshd: 218.197.176.17 sshd: 122.128.96.6 sshd: 122.155.0.70 sshd: 190.12.46.214 sshd: 206.156.254.4 sshd: 222.237.79.139 sshd: 212.202.98.42 sshd: 70.99.70.46 sshd: 221.133.39.82 sshd: 218.16.239.244 sshd: 219.140.253.194 sshd: 211.174.180.4 sshd: 210.48.150.102 sshd: 200.30.136.146 sshd: 220.178.30.233 sshd: 118.69.211.2 sshd: 203.95.104.21 sshd: 65.38.111.171 sshd: 222.128.197.3 sshd: 210.69.31.130 sshd: 123.140.221.138 sshd: 203.248.34.48 sshd: 116.66.203.202 sshd: 60.31.211.194 sshd: 195.220.104.75 sshd: 221.238.193.71 sshd: 202.100.91.165 sshd: 203.187.161.42 sshd: 202.105.49.16 sshd: 122.193.4.115 sshd: 208.67.34.74 sshd: 88.191.25.32 sshd: 132.248.145.179 sshd: 210.18.82.151 sshd: 218.241.177.241 sshd: 163.27.236.2 sshd: 217.70.52.189 sshd: 122.193.4.5 sshd: 67.168.45.156 sshd: 216.16.72.43 sshd: 67.15.127.6 sshd: 62.58.108.127 sshd: 119.70.154.57 sshd: 203.130.1.84 sshd: 88.191.42.2 sshd: 59.185.104.218 sshd: 58.53.192.47 sshd: 208.68.193.51 sshd: 220.90.135.173 sshd: 58.253.67.58 sshd: 219.237.213.239 sshd: 118.143.232.21 sshd: 222.35.78.228 sshd: 202.117.3.100 sshd: 66.238.27.105 sshd: 72.3.142.4 sshd: 85.25.249.189 sshd: 217.133.71.145 sshd: 202.122.19.23 sshd: 68.15.205.76 sshd: 86.55.3.8 sshd: 201.245.179.115 sshd: 65.24.211.75 sshd: 219.246.112.241 sshd: 219.142.114.254 sshd: 60.18.147.45 sshd: 61.237.15.202 sshd: 201.116.169.43 sshd: 121.240.155.135 sshd: 218.60.34.8 sshd: 61.164.112.27 sshd: 83.15.104.4 sshd: 200.111.145.42 sshd: 125.93.184.74 sshd: 18.58.2.204 sshd: 124.207.150.66 sshd: 77.79.229.218 sshd: 88.191.75.232 sshd: 59.27.92.26 sshd: 67.91.202.81 sshd: 85.17.87.133 sshd: 218.22.67.123 sshd: 203.113.33.161 sshd: 213.30.139.75 sshd: 64.79.219.196 sshd: 60.217.234.152 sshd: 222.35.143.63 sshd: 221.7.151.133 Hi, chase, good to see you here . at least i can't see the IP address start from the IP address range of my ISP . maybe they are bots, or even botnets... |
Author: | Combuster [ Tue Feb 10, 2009 1:50 am ] |
Post subject: | Re: login attempts via ssh |
I'm pretty sure it's a botnet. Looking at my auth.log, i see 120 login attempts within 15 minutes, with failed user names that most likely come from a dictionary (and that's just the first instance of it, my log is 600k lines, the majority describing dictionary attacks). Good thing I keep strong passwords |
Author: | xyzzy [ Tue Feb 10, 2009 1:58 am ] |
Post subject: | Re: login attempts via ssh |
Do you change the SSH port from the default? That's one of the first things I do when configuring a server - and I hardly ever get any login attempts. |
Author: | Solar [ Tue Feb 10, 2009 2:17 am ] |
Post subject: | Re: login attempts via ssh |
Actually I enjoy the idea of them *attempting* the login and ending up on the deny list. What I do to secure SSH is not changing the port (which is a nuisance for authorized users as well) is, in /etc/ssh/sshd_config: Code: PermitRootLogin no ChallengeResponseAuthentication no AllowUsers solar,... This means logins to root / postmaster / admin are automatically declined, and allowed users require a SSH Pubkey to log in. No problems with weak passwords and wordfile attacks anymore. The chances to correctly guess a pubkey in 3 attempts (before denyhosts kicks in) are astronomical... |
Author: | AJ [ Tue Feb 10, 2009 2:56 am ] |
Post subject: | Re: login attempts via ssh |
Solar wrote: Actually I enjoy the idea of them *attempting* the login and ending up on the deny list. Same here. Pity you can't let the attempted cracker know that you are aware of the attempts This has got me concerned. Currently at home I just use a Vista laptop which is behind an NAT router and is only on when its in use. At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research Cheers, Adam |
Author: | Solar [ Tue Feb 10, 2009 3:44 am ] |
Post subject: | Re: login attempts via ssh |
AJ wrote: At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research
|
Author: | AJ [ Tue Feb 10, 2009 4:20 am ] |
Post subject: | Re: login attempts via ssh |
Nice link, thanks. Gentoo does have some very nicely written documentation. Cheers, Adam |
Author: | Brynet-Inc [ Tue Feb 10, 2009 8:41 pm ] |
Post subject: | Re: login attempts via ssh |
An exposed ssh server should not allow password authentication, public key only. |
Author: | 01000101 [ Thu Feb 12, 2009 12:52 am ] |
Post subject: | Re: login attempts via ssh |
I disagree. I good username/password combo with a strict failed password attempt maximum is very effective. Also, disallowing empty passwords and only allowing specific users to be able to be used will reduce attack effectiveness quite a bit. I know it's security through obscurity, but changing the port does remove alot of annoying bot attempts from filling the logs. |
Page 1 of 1 | All times are UTC - 6 hours |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |