Educause Security Discussion mailing list archives
Re: SSH dictionary attack dictionary
From: Andrew Daviel <advax () TRIUMF CA>
Date: Tue, 11 Aug 2009 16:26:13 -0700
On Tue, 11 Aug 2009, Brad Edmondson wrote:
Interesting project - how did you filter out off-by-one typos so that you couldn't deduce your legitimate users' passwords? Outside honeypots, it would seem difficult to collect even failed passwords and still retain the same level of trust from your users.
I don't filter, only correct ones. It's only on my desktop machine so there is basically only myself. I can zap the logfile if I make a typo, and the passwords are not logged centrally. I certainly recommend caution doing this, though - it's putting a security hole in sshd.
Only 600? :-)
The 600 root (unique password) attempts was all I saw on the one machine. There may have been others - however, I suspect they try the same dictionary on all. The attack starts with root, then goes through the common accounts, then tries a-z. A previous attack I logged a while ago had a much larger baby-name list, again starting with root and going through a-z over a period of a few days. These were from a single attacking host. Earlier this year we had a distributed SSH attack that didn't trigger denyhosts because it didn't fail enough per source address. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- Re: SSH dictionary attack dictionary, (continued)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)