[Gllug] ssh attacks

John Southern john at sinoda.demon.co.uk
Fri Feb 3 10:39:11 UTC 2006


I opened up an sshd on a box to be able to extract some info from a remote 
box. I went away and got the files I needed. However, I thought my link was 
slow so I looked at the logs. The messages log shows an ssh attempt every few 
seconds. I think it took about thirty seconds from first being opened to the 
first attack.

Was I just unlucky and if so, what is the average time before an ssh box is 
attacked.

Although not quite working through a dictionary attack, it is definitely a 
preprepared list of common user names. I traced this back to a host name of 
zz-13-91-a8.bta.net.cn from its IP address of 202.108.13.91

First, what should I do? Is this a problem for every ssh port out there and 
how can I maintain some form of access to the machine. I tend to run this 
particular box headless and so would like some access remotely. Does anyone 
just use rsa keys and not passwords and if so is it anymore secure?

Second, is there anything I should do about this attacking box or is it just 
not worth it?

Am I right in assuming changing the ssh port is pointless as anyone with nmap 
will see the port I change it to anyway?

How can I tell if my passwords are strong? As I get older I find that 
remembering new random characters is getting harder, although I have not 
quite reached to level of writing them on a post-it note under the mousemat 
yet. An example of a now redundant one I used in the past is Mh4Ll1FwW4s
(Mary had a little lamb it's fleece was white as snow).

John
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list