[PLUG] Break in attempt?

Roderick A. Anderson raanders at cyber-office.net
Sun Feb 19 17:46:39 UTC 2012 

Rich Shepard wrote:
> On Sun, 19 Feb 2012, Denis Heidtmann wrote:
> 
>> I found that on Friday the auth.log shows many (over 300) messages such
>> as:
>>
>> 23.19.81.173.rdns.ubiquity.io [23.19.81.173] failed - POSSIBLE BREAK-IN ATTEMPT!
>> Feb 17 16:56:10 R2D4 sshd[2649]: Invalid user rookie from 23.19.81.173
>> Feb 17 16:56:16 R2D4 sshd[2651]: reverse mapping checking getaddrinfo
>> for 23.19.81.173.rdns.ubiquity.io [23.19.81.173] failed - POSSIBLE
>> BREAK-IN ATTEMPT!
> 
> Denis,
> 
>    Almost every morning my ssh logs show cracking attempts: invalid user, bad
> password, reverse mapping failures, attempts to log in as postfix, dovecot,
> etc. I ignore them since they all failed. All I look for are ssh logins that
> succeeded: mine from my portable and my partner when we're sharing data.
> 
>    Some days the log shows tens-of-thousands of attempts by script kiddies
> using password dictionaries and lists of login names. In 15 years no
> unauthorized user has cracked our network.

I'll suggest, again, using iptables to cut down the number of attempts. 
  I use a recipe that starts dropping the connection attempts after 3 
failed in one minute.  I also provides a free pass to (no timeout for 
failed attempts) for specific IP addresses or IP address ranges.

Two issues (one I haven't taken the time to resolve) are:
    1) if you get hit by a bot/zombie net you'll get a pile of different 
attempts and if they retry several times or
    2) they use a paced attack you'll see more than 3 attempts in the 
logs. (Because there are several max-3 attempts for the days logs.

Yes security by obscurity (use a different port) helps but I've seen 
probes that run through a pile of high level ports until they find some 
that answers as ssh then a flood of attempts on that port.  You're back 
to square one.

If there is any interest I can post an anonymized version.


Rod
-- 
> 
> Rich
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list