[LUAU] Handling Brute Force Attacks
Jim Thompson
jim at netgate.com
Wed Jul 27 12:39:34 PDT 2005
On Jul 27, 2005, at 11:29 AM, R. Scott Belford wrote:
> Slashdot recently referenced a good article about the growing
> number of Brute Force Attacks against ssh
>
> http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%
> 20Attacks/
>
> Night after night my server is one whose logs fill with thousands
> of lines like these:
>
> Security Events
> =-=-=-=-=-=-=-=
> Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user
> daisy from ::ffff:217.106.234.86 port 36812 ssh2
> Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user
> dorina from ::ffff:217.106.234.86 port 36912 ssh2
> Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user
> marian from ::ffff:217.106.234.86 port 37011 ssh2
> Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user
> juan from ::ffff:217.106.234.86 port 37114 ssh2
> Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user
> don from ::ffff:217.106.234.86 port 37212 ssh2
Since the beginning of July we've turned away nearly 5500 of these,
and 16 more attempts that resulted in
"Did not receive identification string from <IP.AD.DR.ESS>"
its been going on for at least a year, possibly longer. (I'm trying
to forget all that came before Hawaii.)
Here are the most popular names they try (and the number of times
they've tried them):
368 admin
125 user
87 administrator
37 test
32 guest
29 adm
22 account
21 info
17 oracle
17 abuse
17 aaron
16 tomcat
15 webadmin
14 pgsql
14 adachi
14 abe
14 a4
13 michael
13 fax
12 sales
12 mike
12 george
12 cyrus
12 angel
12 admins
11 web
11 richard
11 cary
10 webmaster
10 rpm
10 nicole
> I don't allow Root logins and I only allow trusted users.
You could turn off password authentication. (Its what I do. A bit
more admin headache up-front, but most people love not having to
remember passwords. It does, however, open you a bit to *their*
security practices (but so do passwords).
> How are others handling this? Do you block the IP address? If so,
> does it help, or are you still found by yet another zombie? Any
> suggestions or insight are welcome.
Some advocate dynamic port knocking: http://www.security.org.sg/code/
portknock1.html
Some don't: http://software.newsforge.com/software/
04/08/02/1954253.shtml
You can auto-blacklist as well: http://www.pettingers.org/code/
sshblack.html
Jim
More information about the LUAU
mailing list