[lug] Cracking attempts via SSH
Jeff Schroeder
jeff at neobox.net
Thu Aug 19 11:45:12 MDT 2004
Bill wrote:
> Back around July 26, I first started seeing unauthorized attempts to
> gain access to my server via ssh. The pattern was to try accessing an
> account named 'test', then 2 seconds later to try the account
> 'guest.'
Same here. I have attempts to get in as 'test', 'guest', and (clever)
'user'. I also have 'root' attempts, as you describe:
Aug 16 06:25:53 [sshd] Failed password for illegal user admin
from ::ffff:61.157.226.106 port 52586 ssh2
Aug 16 06:25:53 [sshd] Failed password for root
from ::ffff:61.157.226.106 port 52669 ssh2
Aug 16 06:25:53 [sshd] Failed password for illegal user user
from ::ffff:61.157.226.106 port 52656 ssh2
Aug 16 06:25:56 [sshd] Failed password for illegal user admin
from ::ffff:61.157.226.106 port 52662 ssh2
Aug 16 06:25:57 [sshd] Failed password for root
from ::ffff:61.157.226.106 port 52712 ssh2
Aug 16 06:25:58 [sshd] Failed password for illegal user admin
from ::ffff:61.157.226.106 port 52679 ssh2
Aug 16 06:25:59 [sshd] Failed password for illegal user user
from ::ffff:61.157.226.106 port 52720 ssh2
Aug 17 02:43:05 [sshd] Failed password for illegal user test
from ::ffff:61.157.226.106 port 50853 ssh2
> So what's going on? Are script kiddies trying out something new that
> I should be concerned about? What bothers me is the three tries on
> 'root'. I think I've got a decent password, but I don't know much
> about cracking, so I don't know what they're capable of.
I haven't read anything about any new attacks, but it sure looks like
the kids are playing. If your root password is strong (letters,
numbers, special characters, length > 8) you're fairly safe from a
dictionary attack.
> Any recommendations as to what I ought to do, or is openssh 3.5p1-6
> secure enough?
I always get the latest OpenSSH when it's available. Just two days ago
version 3.9 was released; I'd highly recommend upgrading yours. I
don't worry terribly about whether autoconf (for example) is bleeding
edge, but since SSH provides root access to machines, I think it's one
of the more important packages to keep up-to-date.
$0.02,
Jeff
More information about the LUG
mailing list