[Nottingham] ssh attempts for common usernames

Simon Amor simon at leaky.org
Tue Aug 23 12:05:25 BST 2005


Recently I've been seeing a lot of failed ssh attempts into my  
dedicated server for usernames like mail,ftp,test,robert,simon,bob  
etc. There would be somewhere in the region of 70 different users  
tried from each of maybe 3 or 4 IPs a day.

I know that other people (who may not be on this list) are seeing  
similar things and I figured I should look into trying to block them.  
A quick google later and I found http://denyhosts.sourceforge.net/

Took me about 30m (including distractions) to download, install and  
configure and it's already added about 40 IPs to /etc/hosts.deny and  
now I'm seeing ssh connection refused messages in logwatch output  
instead of failed logins for user test.

I'm not sure I agree with running it from cron every 20 minutes so  
I've got it watching the logs every 30 seconds (running in daemon  
mode) and it doesn't seem to be impacting server performance at all.  
I guess there's a tradeoff between 20 minute gaps where the server is  
open to abuse before it picks up on the attempts and 2 second gaps  
where all the server does is process logs.

    Simon
-- 
Simon Amor
simon at leaky.org
http://www.leaky.org/





More information about the Nottingham mailing list