[Gllug] ssh attacks
Matthew Cooke
mpcooke3 at hotmail.com
Fri Feb 3 12:08:24 UTC 2006
>>Although not quite working through a dictionary attack, it is definitely a
>>preprepared list of common user names. I traced this back to a host name
>>of zz-13-91-a8.bta.net.cn from its IP address of 202.108.13.9
>>Second, is there anything I should do about this attacking box or is it
>>just not worth it?
>
>There are scripts out there that parse your logs and automatically add
>"bad" hosts to your firewall.
>
>>Am I right in assuming changing the ssh port is pointless as anyone with
>>nmap will see the port I change it to anyway?
>
>You might want to google for "port knocking" where you access a sequence of
>(closed) ports on the machine to activate the ssh daemon. There are plenty
>of other variations you can do (must access a particular web-page or upload
>a file called "asdvfd.txt" ).
>
>>How can I tell if my passwords are strong? As I get older I find that
>>remembering new random characters is getting harder, although I have not
>>quite reached to level of writing them on a post-it note under the
>>mousemat yet. An example of a now redundant one I used in the past is
>>Mh4Ll1FwW4s
>>(Mary had a little lamb it's fleece was white as snow).
>
>That looks fine to me, but you can try password crackers against your own
>machines (try "John the Ripper" or similar).
>
I'd just stick with choosing a strong password. IP spoofing could be used to
lock you out of your own box if you automatically add bad hosts.
With a strong password set on SSH you are pretty secure unless a
vulnerability is found in SSH. There are password modules that do some
pretty good password strength analysis but it's probably not worth it just
for yourself.
If you are using SSH with a strong password then it is much more likely you
will be compromised in some other way!
I get dictionary attacks run against my personal server and all my work
servers with SSH enabled. I once had a weak non-root account cracked that I
left open for a CISCO engineer and then forgot about, someone was logged in
doing port scans - so don't make that mistake!
Matt
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list