Re: SSH dictionary attack dictionary

[Andrew Daviel <advax () TRIUMF CA>]

On Tue, 11 Aug 2009, Brad Edmondson wrote:

> Interesting project - how did you filter out off-by-one typos so that
> you couldn't deduce your legitimate users' passwords?  Outside
> honeypots, it would seem difficult to collect even failed passwords
> and still retain the same level of trust from your users.

I don't filter, only correct ones. It's only on my desktop machine so
there is basically only myself. I can zap the logfile if I make a typo,
and the passwords are not logged centrally. I certainly recommend caution
doing this, though - it's putting a security hole in sshd.

> Only 600?  :-)

The 600 root (unique password) attempts was all I saw on the one machine.
There may have been others - however, I suspect they try the same dictionary on all.
The attack starts with root, then goes through the common accounts, then
tries a-z. A previous attack I logged a while ago had a much larger
baby-name list, again starting with root and going through a-z over a
period of a few days.

These were from a single attacking host.
Earlier this year we had a distributed SSH attack that didn't trigger
denyhosts because it didn't fail enough per source address.



--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager