[lug] Cracking attempts via SSH
Matt Thompson
thompsma at colorado.edu
Thu Aug 19 12:35:43 MDT 2004
On Thu, 2004-08-19 at 11:45, Bill Thoen wrote:
> Back around July 26, I first started seeing unauthorized attempts to gain
> access to my server via ssh. The pattern was to try accessing an account
> named 'test', then 2 seconds later to try the account 'guest.' The
> originating IPs were from Korea and China (of course) Italy, Russia, and
> other european sources. Even one from the class B network I'm on.
Well, since everyone else is chiming in, so shall I.
I want to let it be known that this can be a rather boring, somewhat
effective DoS attack. That is, if you run Tru64. My Alpha box here at
work recently disabled root because of these. Tru64 has a rather strict
(Nurse Ratchet-like) default security setup, or at least my workstation
does. So, when the box got some number (I think only 50) of failed root
attempts, it shut down root.
The fun part was when you tried to login as root, it told you the
account was disabled and to use the account administrator's account to
reenable. Well, root is the acc. admin, so that was fun! Luckily, the
Tru64 guru here knew enough about the single-user mode/boot-off-CD stuff
to rehack the user database to let root live again.
I also got to see a new error from Tru64 because of this. It turns out
that the attack at some point tripped a "too many actions" alarm where I
think 500 attempts were made in a minute or two. That log was fun to
look at the next day. Compressed nicely, though.
Matt
--
Learning just means you were wrong and they were right. - Aram
Matt Thompson -- http://ucsub.colorado.edu/~thompsma/
440 UCB, Boulder, CO 80309-0440
JILA A510, 303-492-4662
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20040819/7c579714/attachment.pgp>
More information about the LUG
mailing list