[Gllug] Router under attack: help/advice needed

David Damerell damerell at chiark.greenend.org.uk
Wed Sep 30 16:56:57 UTC 2009


On Wednesday, 30 Sep 2009, Andrew Farnsworth wrote:
>My server receives SSH login attempts on a regular basis.  These are
>dictionary attacks against various usernames and have not succeeded
>in gaining access to my system.

This has been going on for ages now - months if not years. Pretty much
any world-accessible ssh daemon will be being prodded. If you don't
want to go down the route of port knocking or running sshd on a
non-standard port, I'd consider something that filters hosts with
repeated login failures - "denyhosts" is good (in particular, the
current attack pattern is that instead of one machine hammering on you
repeatedly, which anything like SWATCH can easily pick up, the attacks
are distributed, so machine A tries you once, goes off and tries a
bunch of others, comes back half an hour later, meantime machines
B...ZZZ are trying you - so the blocking tool has to have a long
memory); not permitting direct root login; not having usernames which
are forenames alone (the bad guys will try "joe" but probably not
"jbloggs"); run your own cracking tool on users' passwords.

-- 
David Damerell <damerell at chiark.greenend.org.uk> Distortion Field!
Yesterday was First Brieday, September.
Today is First Gouday, September.
Tomorrow will be First Chedday, September - a public holiday.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list