[PLUG] Denyhosts, Cracking Attempts, and Intensity
drew wymore
drew.wymore at gmail.com
Fri Jun 5 07:01:47 PDT 2009
On Fri, Jun 5, 2009 at 6:54 AM, Rich Shepard <rshepard at appl-ecosys.com>wrote:
> Not long ago there was a thread on cracking attempts via ssh. Several
> commenters reported that the perpetrators gave up after a few tries. My
> experience is that every day a variable number of potential crackers bang
> on
> the system via sshd, but most of them must use script automation because
> most just keep trying. They're all rejected, but the number of attempts can
> be impressive.
>
> Here's today's logwatch summary for yesterday's attempts:
>
> --------------------- SSHD Begin ------------------------
>
> Failed logins from:
> 83.14.99.10 (sig.com.pl): 10 times
> 88.191.77.63 (sd-14397.dedibox.fr): 66 times
>
> Illegal users from:
> 83.14.99.10 (sig.com.pl): 1 time
> 88.191.77.63 (sd-14397.dedibox.fr): 3742 times
>
> Locked account login attempts:
> postfix : 5 Time(s)
>
> ---------------------- SSHD End -------------------------
>
> The ratio of failed logins to illegal users varies, but both numbers can
> be quite high.
>
> Thought I'd share with you because I don't understand why folks will try
> to log in as postfix or another service.
>
> Rich
>
> --
> Richard B. Shepard, Ph.D. | Integrity Credibility
> Applied Ecosystem Services, Inc. | Innovation
> <http://www.appl-ecosys.com> Voice: 503-667-4517 Fax:
> 503-667-8863
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
The scripts probably just cycle through a list of common users to try hoping
someone hasn't secured their box. If they can get in as postfix then they
can try and work on becoming root.
Drew-
More information about the PLUG
mailing list