[lug] Cracking attempts via SSH

Ryan Wheaton ryan.wheaton at comcast.net
Thu Aug 19 11:49:20 MDT 2004 

I've seen a lot of these on my boxes as well.  Did a little research, 
and it seems that they're coming from root-kitted boxes around the net, 
that's why they keep trying the same thing over and over again.  
They're searching for unpatched systems (or systems with barely any 
admin, etc).  So as long as you're up to date, and those accounts don't 
exist, there's not much to worry about.

Even if these exploits weren't around, i'd disable remote root login 
anyways, then you don't really have to worry about how good your 
password is...  you could report all of the misbehaiving boxes to their 
respective ISP (the *right* thing to do), but I see so much of them, 
and abuse@ seems like such a waste of time these days that I haven't 
even bothered.  if you are really paranoid, you could write a little 
script that scans your logs and blocks the IP's that the attempts come 
from, but it will probably still show up in your logs (at least for 
some time).

hth,

-rtw
On Thursday, Aug 19, 2004, at 11:45 America/Denver, Bill Thoen wrote:

> Back around July 26, I first started seeing unauthorized attempts to 
> gain
> access to my server via ssh. The pattern was to try accessing an 
> account
> named 'test', then 2 seconds later to try the account 'guest.' The
> originating IPs were from Korea and China (of course) Italy, Russia, 
> and
> other european sources. Even one from the class B network I'm on.
>
> Then starting Aug 9, a second pattern appeared. These attempts now look
> like this (from /var/log/secure):
>
> Aug 18 09:32:27 gisnet sshd[31737]: Illegal user test from 65.37.37.15
> Aug 18 09:32:29 gisnet sshd[31739]: Illegal user guest from 65.37.37.15
> Aug 18 09:32:31 gisnet sshd[31741]: Illegal user admin from 65.37.37.15
> Aug 18 09:32:33 gisnet sshd[31743]: Illegal user admin from 65.37.37.15
> Aug 18 09:32:36 gisnet sshd[31745]: Illegal user user from 65.37.37.15
> Aug 18 09:32:46 gisnet sshd[31747]: Failed password for root from
> 65.37.37.15 port 4496 ssh2
> Aug 18 09:32:50 gisnet sshd[31749]: Failed password for root from
> 65.37.37.15 port 4710 ssh2
> Aug 18 09:32:55 gisnet sshd[31751]: Failed password for root from
> 65.37.37.15 port 4809 ssh2
> Aug 18 09:32:57 gisnet sshd[31753]: Illegal user test from 65.37.37.15
>
> So what's going on? Are script kiddies trying out something new that I
> should be concerned about? What bothers me is the three tries on 
> 'root'.
> I think I've got a decent password, but I don't know much about 
> cracking,
> so I don't know what they're capable of.
>
> Any recommendations as to what I ought to do, or is openssh 3.5p1-6 
> secure
> enough?
>
> - Bill Thoen
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list