PaulDotCom mailing list archives

Ssh break in attempt

From: pj_mcgarvey at hotmail.com (PJ McGarvey)
Date: Fri, 12 Mar 2010 11:07:05 -0500


Not sure if anyone mentioned port knocking as a solution as well.  However I guess you're limited by the client's 
ability to support the knock sequence - such as on a smart phone, though I just googled and there is a port knocker app 
for iPhones.

 

PJ
 


From: cgkades at gmail.com
To: pauldotcom at mail.pauldotcom.com
Date: Thu, 11 Mar 2010 07:26:02 -0800
CC: pauldotcom at mail.pauldotcom.com
Subject: Re: [Pauldotcom] Ssh break in attempt


I'm sure with a simple grep and awk I could pull all the user names. But they're in order, and fairly large. 


I've implemented denyhosts, and I've changed the default ssh port. There were no successfull logins from that ip. 


I'm still surprised at the attack from perdue.edu i would have thought they would have an internal firewall preventing 
people from doing things like this. 

Sent from my iPhone

On Mar 11, 2010, at 7:04, Dimitrios Kapsalis <dimitrios at gmail.com> wrote:




I have seen similar on my home pc as well. Running ssh on a windows box so the invalid login attempts are being saved 
in the Event log.

Any way to harvest these user names? To see what is being used by the attackers, skimming through the event log it 
definitely looks to be dictionary based.




On Wed, Mar 10, 2010 at 11:22 PM, Matt Erasmus <mailinglistmatt at gmail.com> wrote:

I wouldn't worry too much about SSH brute force attempts. There are
many many of these attacks happening daily and unless you have some
stupid user account like "bob" with "bob123" as your password, you
should be alright.

If you really want to be a little more proactive, take a look at
Denyhosts [1] which will help stem the tide. There are also iptables
rules which you can use to throttle back the attacks. I'll see if I
can dig these up for you.

As for logged in users, check your last log or even
auth.log/secure.log depending on distro. You could probably script
something to alert you should there be a login from elsewhere. But
honestly, once that happens it's game over. The time frame from
successful login to complete rooting of the server is very very low.

For Apache, you should be checking your access/error logs. I haven't
had a chance to really look into this though...

While I'm thinking about it, check out OSSEC [2]. Very very cool HIDS
which runs on Linux/Windows. It'll help a lot with most of your
issues.

</0.02c>

[1] http://denyhosts.sourceforge.net/
[2] http://www.ossec.net


On 11 March 2010 01:49, Brett <cgkades at gmail.com> wrote:

I realized I haven't checked my logs on my new server ( bad me ). But
I figured I wouldn't find anything, it's only my personal server. I
checked the logs today to find thousands of login attempts. Most tried
to brute my root password, though I don't have a root user. There were
a bunch of user name attempts for what looked like a name dictionary
attack. Some were from busness static ip's and there were even some
from perdu.edu

Now for my questions. What should I look for to find out if they
actually got in? Parse the auth log for those ip's for a successfull
login? I also run a web server on that machine, is there something I
can look for to see If they got into that? Also is there any recourse
I have? Or should I just let it go and harden my server even more?




--
Matt
@z0nbi



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com                                      
_________________________________________________________________
Hotmail: Trusted email with Microsoft?s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/210850552/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100312/6bbc3cf2/attachment.htm

Current thread:

Ssh break in attempt Brett (Mar 10)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 10)
- Ssh break in attempt Matt Erasmus (Mar 10)
  - Ssh break in attempt Dimitrios Kapsalis (Mar 11)
    - Ssh break in attempt Brett (Mar 11)
    - Ssh break in attempt Joshua Smith (Mar 11)
    - Ssh break in attempt Jody & Jennifer McCluggage (Mar 11)
    - Ssh break in attempt PJ McGarvey (Mar 12)
- Ssh break in attempt Robert Miller (Mar 11)
- <Possible follow-ups>
- Ssh break in attempt iamnowonmai (Mar 10)