[PLUG] Break in attempt?
Roderick A. Anderson
raanders at cyber-office.net
Sun Feb 19 17:46:39 UTC 2012
Rich Shepard wrote:
> On Sun, 19 Feb 2012, Denis Heidtmann wrote:
>
>> I found that on Friday the auth.log shows many (over 300) messages such
>> as:
>>
>> 23.19.81.173.rdns.ubiquity.io [23.19.81.173] failed - POSSIBLE BREAK-IN ATTEMPT!
>> Feb 17 16:56:10 R2D4 sshd[2649]: Invalid user rookie from 23.19.81.173
>> Feb 17 16:56:16 R2D4 sshd[2651]: reverse mapping checking getaddrinfo
>> for 23.19.81.173.rdns.ubiquity.io [23.19.81.173] failed - POSSIBLE
>> BREAK-IN ATTEMPT!
>
> Denis,
>
> Almost every morning my ssh logs show cracking attempts: invalid user, bad
> password, reverse mapping failures, attempts to log in as postfix, dovecot,
> etc. I ignore them since they all failed. All I look for are ssh logins that
> succeeded: mine from my portable and my partner when we're sharing data.
>
> Some days the log shows tens-of-thousands of attempts by script kiddies
> using password dictionaries and lists of login names. In 15 years no
> unauthorized user has cracked our network.
I'll suggest, again, using iptables to cut down the number of attempts.
I use a recipe that starts dropping the connection attempts after 3
failed in one minute. I also provides a free pass to (no timeout for
failed attempts) for specific IP addresses or IP address ranges.
Two issues (one I haven't taken the time to resolve) are:
1) if you get hit by a bot/zombie net you'll get a pile of different
attempts and if they retry several times or
2) they use a paced attack you'll see more than 3 attempts in the
logs. (Because there are several max-3 attempts for the days logs.
Yes security by obscurity (use a different port) helps but I've seen
probes that run through a pile of high level ports until they find some
that answers as ssh then a flood of attempts on that port. You're back
to square one.
If there is any interest I can post an anonymized version.
Rod
--
>
> Rich
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
More information about the PLUG
mailing list