RE: SSH brute force attack

["Paul Melson" <pmelson () gmail com>]

I can't identify the specific tool being used in your case, but SSH brute
force scans have been showing up on my radar for a little over a year now.
The users and passwords used seem to differ by attempt now and are getting
more exhaustive.  The earlier connection is probably a version grab used to
determine whether or not there are other ways of exploiting your sshd either
by compromising it directly or by using its authentication scheme to
enumerate valid users.  

I would say that on average I see 3-4 of these a day, most from APNIC
blocks.  I've instituted password complexity requirements on the
'recreational' systems, and simply don't allow SSH connections from the
Internet on anything else.  I've also never allowed root logins and all
service uids like nobody or web get /nologin shells.  Thus far, it's been
enough to be lucky.

PaulM

-----Original Message-----
Subject: [fw-wiz] SSH brute force attack

Greetings!

Our computers running SSH daemons have logged attacks. The attacks begin
with a scan logged "Did not receive identification string from x.x.x.x",
followed approximately 15 minutes later with "Illegal user " or " Failed
password for root". 

Does anyone have information or documentation about this scan/attack?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards