[lug] Cracking attempts via SSH

Shannon Johnston sjohnston at cavionplus.com
Thu Aug 19 11:50:55 MDT 2004


Hmm...
I would start by upgrading your Openssh. It doesn't look like they're
attempting any exploits, but it's only a matter of time.

The second thing you should do would be to make sure that the
PermitRootLogin option in /etc/ssh/sshd_config is set to "no".

Also, you can set who is allowed to ssh into the box my making entries
in /etc/security/access.conf

Hope that helps!

Shannon Johnston


On Thu, 2004-08-19 at 11:45, Bill Thoen wrote:
> Back around July 26, I first started seeing unauthorized attempts to gain
> access to my server via ssh. The pattern was to try accessing an account
> named 'test', then 2 seconds later to try the account 'guest.' The
> originating IPs were from Korea and China (of course) Italy, Russia, and
> other european sources. Even one from the class B network I'm on.
> 
> Then starting Aug 9, a second pattern appeared. These attempts now look
> like this (from /var/log/secure):
> 
> Aug 18 09:32:27 gisnet sshd[31737]: Illegal user test from 65.37.37.15
> Aug 18 09:32:29 gisnet sshd[31739]: Illegal user guest from 65.37.37.15
> Aug 18 09:32:31 gisnet sshd[31741]: Illegal user admin from 65.37.37.15
> Aug 18 09:32:33 gisnet sshd[31743]: Illegal user admin from 65.37.37.15
> Aug 18 09:32:36 gisnet sshd[31745]: Illegal user user from 65.37.37.15
> Aug 18 09:32:46 gisnet sshd[31747]: Failed password for root from 
> 65.37.37.15 port 4496 ssh2
> Aug 18 09:32:50 gisnet sshd[31749]: Failed password for root from 
> 65.37.37.15 port 4710 ssh2
> Aug 18 09:32:55 gisnet sshd[31751]: Failed password for root from 
> 65.37.37.15 port 4809 ssh2
> Aug 18 09:32:57 gisnet sshd[31753]: Illegal user test from 65.37.37.15
> 
> So what's going on? Are script kiddies trying out something new that I
> should be concerned about? What bothers me is the three tries on 'root'.  
> I think I've got a decent password, but I don't know much about cracking,
> so I don't know what they're capable of.
> 
> Any recommendations as to what I ought to do, or is openssh 3.5p1-6 secure 
> enough?
> 
> - Bill Thoen
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
-- 
Shannon Johnston <sjohnston at cavionplus.com>
Cavion Plus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20040819/ac779978/attachment.pgp>


More information about the LUG mailing list