[Nottingham] Web-bot attack!

Richard Ward daedalusfall at gmail.com
Wed Nov 11 15:34:59 UTC 2009

On Wed, 2009-11-11 at 15:12 +0000, Michael Erskine wrote:
> > Since 5/11/2009, I've seen 5362 ssh attempts from *469* IP addresses.
> Port 22? A quick fix would be to block it and listen on something less obvious.

I used to have a server that this happened on, for no good reason. The
method it was using was incredibly naive, simply making the passwords
the same as the user names it was trying, so I ignored it.

If they are trying random passwords, for an amusing mental exercise try
figuring out how long it would take them to find your password given the
rate they are trying it at.

Either way I agree with Michael, it seems unlikely that they will be
determined enough to find your ssh port. You could even keep a fake ssh
running on port 22 if you don't want them looking for your real one.

If you want a little extra you could try something cool, like making a
script that only opens up the (non 22) ssh port under certain
conditions. This could be as simple as visiting a particular address and
entering a password first, or something cool like having your computer
hooked up to a mobile so that when you drop-call the mobile it opens up
a port. Probably a little silly but definitely fun.

Of course, if you mostly ssh into this machine when you are at home (or
wherever the machine is) anyway there are a number of ways to only allow
ssh connections from the local network.

More information about the Nottingham mailing list