BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How are people handling network attacks?

Subject: How are people handling network attacks?
From: jrvz at comcast.net (James R. Van Zandt)
Date: Mon, 28 Feb 2005 20:21:34 -0500
In-reply-to: <20050226132953.A25171@rio> (steve@horne.homelinux.net)
References: <20050226132953.A25171@rio>

Steve -

FWIW the same sites attacked here, at about the same time:

Feb 25 20:02:22 vanzandt sshd[16404]: Failed password for root from 61.177.137.170 port 59908 ssh2
Feb 25 20:02:28 vanzandt sshd[16406]: Failed password for root from 61.177.137.170 port 59939 ssh2
Feb 25 20:02:40 vanzandt sshd[16408]: Failed password for root from 61.177.137.170 port 59972 ssh2
Feb 25 20:02:49 vanzandt sshd[16410]: Failed password for root from 61.177.137.170 port 60030 ssh2
Feb 25 20:02:58 vanzandt sshd[16412]: Failed password for root from 61.177.137.170 port 60072 ssh2
Feb 25 20:03:06 vanzandt sshd[16414]: Failed password for root from 61.177.137.170 port 60114 ssh2
Feb 25 20:03:14 vanzandt sshd[16416]: Failed password for root from 61.177.137.170 port 60155 ssh2
Feb 25 20:03:25 vanzandt sshd[16418]: Failed password for root from 61.177.137.170 port 60189 ssh2

> Looks like a systematic attack...  8 attempts, various ports...
> Several per night, from various places.

I had 1129 probes from 24.136.209.29 over a 26 minute period.

I'd like to put a limit on retries, so after the first several
failures even the right password would fail.  No change in the
feedback - let them waste their effort rather than re-direct them to
another site where they might succeed.  What's the easiest way to
implement this - modify the tcp wrapper library?  modify sshd?  a PAM
module?

BTW, any box with sshd on a nonstandard port could be running a fake
sshd on port 22 - one that always fails.  I see Daniel Kastenholz just
proposed some changes to sshd that would allow that, but later
discovered that adding
   -o DenyUsers="*" 
to the command line would work about as well.

       - Jim Van Zandt

>Date: Sat, 26 Feb 2005 13:29:53 -0500
>From: steve at horne.homelinux.net
>
>Hello blu --
>
>I have a cable modem connected to a "firewall"  -- slackware based,
>2.4.22, iptables.  Recently I've seen an increase in the number of dictionary-based
>attacks. Log fills up with stuff like this:
>Feb 25 20:01:56 horne sshd[2407]: Failed password for root from 61.177.137.170 port 58956 ssh2
>Feb 25 20:02:05 horne sshd[2409]: Failed password for root from 61.177.137.170 port 59007 ssh2
>Feb 25 20:02:11 horne sshd[2411]: Failed password for root from 61.177.137.170 port 59055 ssh2
>Feb 25 20:02:17 horne sshd[2413]: Failed password for root from 61.177.137.170 port 59083 ssh2
>Feb 25 20:02:27 horne sshd[2415]: Failed password for root from 61.177.137.170 port 59115 ssh2
>Feb 25 20:02:35 horne sshd[2417]: Failed password for root from 61.177.137.170 port 59173 ssh2
>Feb 25 20:02:41 horne sshd[2419]: Failed password for root from 61.177.137.170 port 59206 ssh2
>Feb 25 20:02:57 horne sshd[2421]: Failed password for root from 61.177.137.170 port 59246 ssh2
...

References:
- How are people handling network attacks?
  - From: steve at horne.homelinux.net (steve at horne.homelinux.net)

Prev by Date: How are people handling network attacks?
Next by Date: [no subject]
Previous by thread: How are people handling network attacks?
Next by thread: [no subject]
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org