Cosmin Nicolaescu on 26 Apr 2005 14:39:47 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Increase in SSH break-in attempts?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, April 26, 2005 10:10 am, Mike Leone said:
> Anybody else noticing an increase lately, in the number of break-in
> attempts
> via SSH? I'm seeing more and more things like this, over the last few
> weeks:
>
>
> ----- Forwarded message from logcheck@localhost -----
>
>> Date: Tue, 26 Apr 2005 10:02:16 -0400 (EDT)
>> From: logcheck@localhost
>> To: root@localhost
>> Subject: mail 2005-04-26 10:02 Security Events
>>
>> This email is sent by logcheck. If you wish to no-longer receive it,
>> you can either deinstall the logcheck package or modify its
>> configuration file (/etc/logcheck/logcheck.conf).
>>
>> Security Events
>> =-=-=-=-=-=-=-> Apr 26 09:16:41 mail sshd[23067]: (pam_securetty) access
>> denied: tty 'ssh' is not secure !
>> Apr 26 09:46:37 mail sshd[23206]: Failed password for illegal user
>> jordan from 72.21.36.122 port 57322 ssh2
>> Apr 26 09:46:39 mail sshd[23208]: Failed password for illegal user
>> michael from 72.21.36.122 port 57420 ssh2
>> Apr 26 09:46:40 mail sshd[23210]: Failed password for illegal user
>> nicole from 72.21.36.122 port 57453 ssh2
>> Apr 26 09:46:41 mail sshd[23212]: Failed password for illegal user
>> daniel from 72.21.36.122 port 57491 ssh2
>> Apr 26 09:46:42 mail sshd[23214]: Failed password for illegal user
>> andrew from 72.21.36.122 port 57521 ssh2
>> Apr 26 09:46:44 mail sshd[23216]: Failed password for illegal user magic
>> from 72.21.36.122 port 57563 ssh2
>> Apr 26 09:46:45 mail sshd[23218]: Failed password for illegal user lion
>> from 72.21.36.122 port 57598 ssh2
>> Apr 26 09:46:46 mail sshd[23220]: Failed password for illegal user david
>> from 72.21.36.122 port 57633 ssh2
>> Apr 26 09:46:48 mail sshd[23222]: Failed password for illegal user jason
>> from 72.21.36.122 port 57668 ssh2
>> Apr 26 09:46:49 mail sshd[23224]: Failed password for illegal user
>> carmen from 72.21.36.122 port 57706 ssh2
>> Apr 26 09:46:50 mail sshd[23226]: Failed password for illegal user
>> justin from 72.21.36.122 port 57740 ssh2
>> Apr 26 09:46:52 mail sshd[23228]: Failed password for illegal user
>> charlie from 72.21.36.122 port 57781 ssh2
>> Apr 26 09:46:53 mail sshd[23230]: Failed password for illegal user
>> steven from 72.21.36.122 port 57814 ssh2
>> Apr 26 09:46:54 mail sshd[23232]: Failed password for illegal user
>> brandon from 72.21.36.122 port 57841 ssh2
>> Apr 26 09:46:56 mail sshd[23234]: Failed password for illegal user brian
>> from 72.21.36.122 port 57880 ssh2
>> Apr 26 09:46:57 mail sshd[23236]: Failed password for illegal user
>> stephen from 72.21.36.122 port 57916 ssh2
>> Apr 26 09:46:58 mail sshd[23238]: Failed password for illegal user
>> william from 72.21.36.122 port 57950 ssh2
>> Apr 26 09:47:00 mail sshd[23240]: Failed password for illegal user angel
>> from 72.21.36.122 port 57986 ssh2
>> Apr 26 09:47:01 mail sshd[23242]: Failed password for illegal user emily
>> from 72.21.36.122 port 58021 ssh2
>> Apr 26 09:47:03 mail sshd[23244]: Failed password for illegal user eric
>> from 72.21.36.122 port 58062 ssh2
>> Apr 26 09:47:04 mail sshd[23246]: Failed password for illegal user joe
>> from 72.21.36.122 port 58093 ssh2
>> Apr 26 09:47:05 mail sshd[23248]: Failed password for illegal user tom
>> from 72.21.36.122 port 58126 ssh2
>> Apr 26 09:47:07 mail sshd[23250]: Failed password for illegal user billy
>> from 72.21.36.122 port 58157 ssh2
>> Apr 26 09:47:08 mail sshd[23252]: Failed password for illegal user buddy
>> from 72.21.36.122 port 58198 ssh2
>> Apr 26 09:47:09 mail sshd[23254]: Failed password for illegal user
>> jeremy from 72.21.36.122 port 58230 ssh2
>> Apr 26 09:47:10 mail sshd[23256]: Failed password for illegal user
>> vampire from 72.21.36.122 port 58264 ssh2
>> Apr 26 09:47:12 mail sshd[23258]: Failed password for illegal user betty
>> from 72.21.36.122 port 58298 ssh2
>> Apr 26 09:47:13 mail sshd[23260]: Failed password for illegal user max
>> from 72.21.36.122 port 58332 ssh2
>> Apr 26 09:47:14 mail sshd[23262]: Failed password for illegal user
>> nicholas from 72.21.36.122 port 58367 ssh2
>> Apr 26 09:47:16 mail sshd[23264]: Failed password for illegal user robin
>> from 72.21.36.122 port 58403 ssh2
>> Apr 26 09:47:17 mail sshd[23266]: Failed password for illegal user
>> johnny from 72.21.36.122 port 58433 ssh2
>> Apr 26 09:47:18 mail sshd[23268]: Failed password for illegal user lucy
>> from 72.21.36.122 port 58470 ssh2
>> Apr 26 09:47:20 mail sshd[23270]: Failed password for illegal user maria
>> from 72.21.36.122 port 58506 ssh2
>> Apr 26 09:47:21 mail sshd[23272]: Failed password for illegal user rose
>> from 72.21.36.122 port 58542 ssh2
>> Apr 26 09:47:22 mail sshd[23274]: Failed password for mail from
>> 72.21.36.122 port 58576 ssh2
>> Apr 26 09:47:24 mail sshd[23276]: Failed password for illegal user god
>> from 72.21.36.122 port 58613 ssh2
>> Apr 26 09:47:25 mail sshd[23278]: Failed password for illegal user
>> barbara from 72.21.36.122 port 58650 ssh2
>> Apr 26 09:47:26 mail sshd[23280]: Failed password for illegal user
>> larisa from 72.21.36.122 port 58683 ssh2
>> Apr 26 09:47:28 mail sshd[23282]: Failed password for illegal user jane
>> from 72.21.36.122 port 58723 ssh2
>> Apr 26 09:47:29 mail sshd[23284]: Failed password for illegal user dog
>> from 72.21.36.122 port 58752 ssh2
>> Apr 26 09:47:30 mail sshd[23286]: Failed password for illegal user sparc
>> from 72.21.36.122 port 58781 ssh2
>> Apr 26 09:47:31 mail sshd[23288]: Failed password for illegal user
>> credit from 72.21.36.122 port 58812 ssh2
>> Apr 26 09:47:33 mail sshd[23290]: Failed password for illegal user info
>> from 72.21.36.122 port 58843 ssh2
>> Apr 26 09:47:34 mail sshd[23292]: Failed password for illegal user
>> manager from 72.21.36.122 port 58871 ssh2
>> Apr 26 09:47:35 mail sshd[23294]: Failed password for illegal user horse
>> from 72.21.36.122 port 58897 ssh2
>> Apr 26 09:47:36 mail sshd[23296]: Failed password for illegal user nokia
>> from 72.21.36.122 port 58928 ssh2
>> Apr 26 09:47:38 mail sshd[23298]: Failed password for illegal user tv
>> from 72.21.36.122 port 58955 ssh2
>> Apr 26 09:47:39 mail sshd[23300]: Failed password for illegal user
>> connect from 72.21.36.122 port 58980 ssh2
>> Apr 26 09:47:40 mail sshd[23302]: Failed password for illegal user fire
>> from 72.21.36.122 port 59017 ssh2
>> Apr 26 09:47:42 mail sshd[23304]: Failed password for illegal user local
>> from 72.21.36.122 port 59046 ssh2
>> Apr 26 09:47:43 mail sshd[23306]: Failed password for illegal user host
>> from 72.21.36.122 port 59074 ssh2
>> Apr 26 09:47:44 mail sshd[23308]: Failed password for illegal user billy
>> from 72.21.36.122 port 59107 ssh2
>> Apr 26 09:47:45 mail sshd[23310]: Failed password for illegal user yoyo
>> from 72.21.36.122 port 59134 ssh2
>> Apr 26 09:47:47 mail sshd[23312]: Failed password for illegal user
>> victor from 72.21.36.122 port 59171 ssh2
>> Apr 26 09:47:48 mail sshd[23314]: Failed password for illegal user fbi
>> from 72.21.36.122 port 59201 ssh2
>> Apr 26 09:47:49 mail sshd[23316]: Failed password for illegal user mark
>> from 72.21.36.122 port 59235 ssh2
>> Apr 26 09:47:51 mail sshd[23318]: Failed password for illegal user
>> william from 72.21.36.122 port 59269 ssh2
>> Apr 26 09:47:52 mail sshd[23321]: Failed password for illegal user
>> patrick from 72.21.36.122 port 59302 ssh2
>>
>> System Events
>> =-=-=-=-=-=-> Apr 26 09:29:17 mail sshd[23145]: Did not receive
>> identification string from 72.21.36.122
>> Apr 26 09:46:36 mail sshd[23206]: Illegal user jordan from 72.21.36.122
>
> <SNIP>
>
> You get the idea.
>
> I'm up to date on patches, I believe, especially for SSH. Some new hot
> thing
> among script kiddies? Or have I just not noticed, since I haven't been
> running logcheck until recently?
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
>

This has actually been going on for a few months now. It's a little script
that some idiot wrote and all the script kiddies love. I haven't
personally heard of anyone actually being hacked through this. It's very
weak and stupid, I wouldn't worry too much about it (unless you actually
have users with some of those usernames and might have weak passwords - I
suggest checking their password, with tools such as john the ripper - if
john can crack them, then you're in trouble).

I actually switched the ssh port from 22 (since only a few people actually
have bash shells they use it's not too big of a headache), and am logging
all activity on 22. I get logs daily of people trying to get on through 22
- - only that they give up after 4-5 attempts. I actually let them hang on
that port (DROP not REJECT so that their automated script will just hang
there, so at least it'll slow down the 'work). I've been wanting to write
a little automated script to block them automatically but I've been jammed
at work too much.

- -Cos

- --
GPG key fingerprint = DE9F 4664 E666 2BD1 903E  4F4D EA31 5FB1 C7F9 08C1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCblLw6jFfscf5CMERAkSyAJ9oeqxEMwOShkSDeTcP2N60vA+gPwCgqr5k
9SS2gEmokBNJGOUV5kyhWlE=
=T7tw
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug