[LUAU] Handling Brute Force Attacks

Jim Thompson jim at netgate.com
Wed Jul 27 12:39:34 PDT 2005 

On Jul 27, 2005, at 11:29 AM, R. Scott Belford wrote:

> Slashdot recently referenced a good article about the growing  
> number of Brute Force Attacks against ssh
>
> http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force% 
> 20Attacks/
>
> Night after night my server is one whose logs fill with thousands  
> of lines like these:
>
> Security Events
> =-=-=-=-=-=-=-=
> Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user  
> daisy from ::ffff:217.106.234.86 port 36812 ssh2
> Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user  
> dorina from ::ffff:217.106.234.86 port 36912 ssh2
> Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user  
> marian from ::ffff:217.106.234.86 port 37011 ssh2
> Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user  
> juan from ::ffff:217.106.234.86 port 37114 ssh2
> Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user  
> don from ::ffff:217.106.234.86 port 37212 ssh2

Since the beginning of July we've turned away nearly 5500 of these,  
and 16 more attempts that resulted in
"Did not receive identification string from <IP.AD.DR.ESS>"

its been going on for at least a year, possibly longer.   (I'm trying  
to forget all that came before Hawaii.)

Here are the most popular names they try (and the number of times  
they've tried them):

     368 admin
     125 user
      87 administrator
      37 test
      32 guest
      29 adm
      22 account
      21 info
      17 oracle
      17 abuse
      17 aaron
      16 tomcat
      15 webadmin
      14 pgsql
      14 adachi
      14 abe
      14 a4
      13 michael
      13 fax
      12 sales
      12 mike
      12 george
      12 cyrus
      12 angel
      12 admins
      11 web
      11 richard
      11 cary
      10 webmaster
      10 rpm
      10 nicole

> I don't allow Root logins and I only allow trusted users.

You could turn off password authentication.  (Its what I do.  A bit  
more admin headache up-front, but most people love not having to
remember passwords.  It does, however, open you a bit to *their*  
security practices (but so do passwords).

> How are others handling this?  Do you block the IP address?  If so,  
> does it help, or are you still found by yet another zombie?  Any  
> suggestions or insight are welcome.

Some advocate dynamic port knocking: http://www.security.org.sg/code/ 
portknock1.html
Some don't: http://software.newsforge.com/software/ 
04/08/02/1954253.shtml

You can auto-blacklist as well:  http://www.pettingers.org/code/ 
sshblack.html

Jim

More information about the LUAU mailing list