[lug] Cracking attempts via SSH

Richard H. Fifarek rfifarek at fifarek.net
Thu Aug 19 11:45:51 MDT 2004


On Thu, 19 Aug 2004, Bill Thoen wrote:

> The pattern was to try accessing an account named 'test', then 2 seconds
> later to try the account 'guest.' The originating IPs were from Korea
> and China (of course) Italy, Russia, and other european sources. Even
> one from the class B network I'm on.

	I'm seeing these as well.

> So what's going on? Are script kiddies trying out something new that I
> should be concerned about? What bothers me is the three tries on 'root'.
> I think I've got a decent password, but I don't know much about cracking,
> so I don't know what they're capable of.

Some things that you can do to protect yourself:

	- disable remote root logins via ssh, force admins to su

	- increase the length of passwords (increases time it takes to
brute force crack it)

	- use pam_tally to limit failed logins to X number of logins
before the account is locked (we use 5)

	- firewall off connections from obvious IP ranges that users
wouldn't likely connect from (China, Korea, etc.)

	- one-time passwords (expensive and painful but effective)

	The 1st 3 are fairly easy to do, and not too painful, the last two
are potentially problematic.

-- 
Richard H. Fifarek
rfifarek at fifarek.net




More information about the LUG mailing list