Firewall Wizards mailing list archives
RE: SSH brute force attack
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 30 Jun 2005 11:57:39 -0400
I can't identify the specific tool being used in your case, but SSH brute force scans have been showing up on my radar for a little over a year now. The users and passwords used seem to differ by attempt now and are getting more exhaustive. The earlier connection is probably a version grab used to determine whether or not there are other ways of exploiting your sshd either by compromising it directly or by using its authentication scheme to enumerate valid users. I would say that on average I see 3-4 of these a day, most from APNIC blocks. I've instituted password complexity requirements on the 'recreational' systems, and simply don't allow SSH connections from the Internet on anything else. I've also never allowed root logins and all service uids like nobody or web get /nologin shells. Thus far, it's been enough to be lucky. PaulM -----Original Message----- Subject: [fw-wiz] SSH brute force attack Greetings! Our computers running SSH daemons have logged attacks. The attacks begin with a scan logged "Did not receive identification string from x.x.x.x", followed approximately 15 minutes later with "Illegal user " or " Failed password for root". Does anyone have information or documentation about this scan/attack? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: SSH brute force attack Paul Melson (Jul 01)
- <Possible follow-ups>
- Re: SSH brute force attack Mark Tinberg (Jul 01)
- RE: SSH brute force attack Mathew Want (Jul 01)
- Re: SSH brute force attack David Ross (Jul 05)
- Re: SSH brute force attack Marko Jakovljevic (Jul 06)
- RE: SSH brute force attack Mark Ness (Jul 18)
- Re: RE: SSH brute force attack Mark Ness (Jul 21)
- Re: RE: SSH brute force attack Christine Kronberg (Jul 21)