[Gllug] limiting ssh zombie login attempts
Andre Newman
gllug at dinkum.org.uk
Tue Oct 19 13:04:51 UTC 2004
> On Mon, Oct 18, 2004 at 11:05:39PM +0100, Ben Fitzgerald wrote:
>> Hi,
>>
>> We have an internet facing server that has been receiving an
>> increasing number of attempts to guess username/passwords.
Here too.
> All of these attacks (or at least the ones we get here) seem to be
> fairly quick and intense.
Ours have been fairly leisurely, we do have some rate limiting on the
firewall so looks like that is working :-)
> Using iptables' 'limit' match to limit SSH connections to two every 5
> minutes should work reasonably well - it'd take a very long time to try
I'm using
-m state --state NEW -m limit --limit 5/min --limit-burst 2 -j ACCEPT
Any suggestions for improvments appreciated.
> It would be interesting to know what passwords are being tried. It
We get:
nobody
patrick
rolo
root
horde
cyrus
iceuser
matt
test
adm
irc
jane
pamela
cosmin
cip52
cip51
webmaster
noc
user
sybase
oracle
also empty string ""
And probably many more...
There are many more names now than my first sightings a week or so ago.
Is this some sort of kiddie script or a new angle on a windows virus,
anyone know?
> certainly looks from here like a concerted distributed attack against
> one IP address on our network (our firewall), rather than some zombie
> machines scanning randomly for (say) boxen which allow root ssh logins
We are seeing it on two mail relay/ web proxy machines in the DMZ and also
my dicking around box (also in DMZ). The same addresses seem to be
attempting ftp logins as well (according to snort), thankfully we don't
run any ftp.
Cheers
Andre
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list