[Gllug] ssh attacks
Thomas Bhatia
thomas.bhatia at gmail.com
Tue Feb 7 15:17:40 UTC 2006
On 2/3/06, John Southern <john at sinoda.demon.co.uk> wrote:
>
> I opened up an sshd on a box to be able to extract some info from a remote
> box. I went away and got the files I needed. However, I thought my link
> was
> slow so I looked at the logs. The messages log shows an ssh attempt every
> few
> seconds. I think it took about thirty seconds from first being opened to
> the
> first attack.
>
> Was I just unlucky and if so, what is the average time before an ssh box
> is
> attacked.
>
> Although not quite working through a dictionary attack, it is definitely a
> preprepared list of common user names. I traced this back to a host name
> of
> zz-13-91-a8.bta.net.cn from its IP address of 202.108.13.91
>
> First, what should I do? Is this a problem for every ssh port out there
> and
> how can I maintain some form of access to the machine. I tend to run this
> particular box headless and so would like some access remotely. Does
> anyone
> just use rsa keys and not passwords and if so is it anymore secure?
>
> Second, is there anything I should do about this attacking box or is it
> just
> not worth it?
>
> Am I right in assuming changing the ssh port is pointless as anyone with
> nmap
> will see the port I change it to anyway?
>
> How can I tell if my passwords are strong? As I get older I find that
> remembering new random characters is getting harder, although I have not
> quite reached to level of writing them on a post-it note under the
> mousemat
> yet. An example of a now redundant one I used in the past is Mh4Ll1FwW4s
> (Mary had a little lamb it's fleece was white as snow).
>
> John
> --
> Gllug mailing list - Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
>
Two things that made my life easier:
Change sshd port, to hide from the scripts.
Install portsentry to block targeted attacks from flesh and scripts.
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060207/8f7e4609/attachment.html>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list