Re: intrusion via ssh

• Previous message: Alvin Oga: "Re: How to stop SSH doing reverse lookup?"
• Maybe in reply to: Angelina Carlton: "Re: intrusion via ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: DebianUser List <debian-user@lists.debian.org>
Date: Sat, 02 Apr 2005 21:05:37 -0500

On Thu, 2005-03-31 at 12:55 +0200, Frederic Guillet wrote:
> Hi,
>
> i just checked my mail log on my server (that runs sarge with postfix)
> and got this kind of lines:
>
> MAR 30 20:01:33 servername sshd[17890] illegal user john from 24.15.134.130
>
> I have about 500 attemps with different usernames and the same IP so i
> guess it is a robot which is trying to enter my system.
>
> the pb with such log is that it does not say if the user has succeeded
> to enter the machine or if the attempt has failed.
>
> any config advice or tutorial are welcome.
>
> Thank in advance for your help.

I have a short summary of my tracking of these Bruteforce SSH2 attempts
that are taking up bandwidth.

Here is what I have come up with ending 21mar2005 2100 GMT:
      * Starting July 26th, 2004 totals for recent Bruteforce attempts
        on knight.gregfolkert.net and ending March 28th, 2005
      * Total of 8,988 events seperated by minutes sometimes, hours,
        days, never weeks, months or years
      * 158,913 bruteforce total attempts to password guess or stumble
        onto a no password user
      * 3727 unique combinations of username-(from)IP Address
      * 663 unique names used
      * 210 unique IP Addresses have been identified as sources of the
        attempts

Amazing ain't it?

So, indeed It has been on the increase. Time to review those password
policies.

This is just the SSH2 problems, not to mention the Apache related
applications. We can basically quadruple the counts as a total for
everything that machine has seen.

-- 
greg, greg@gregfolkert.net
The technology that is
Stronger, better, faster:  Linux

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: Alvin Oga: "Re: How to stop SSH doing reverse lookup?"
• Maybe in reply to: Angelina Carlton: "Re: intrusion via ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: intrusion via ssh ... > i just checked my mail log on my server (that runs sarge with postfix) ... (Debian-User) Re: intrusion via ssh ... > i just checked my mail log on my server (that runs sarge with postfix) ... (Debian-User) intrusion via ssh ... i just checked my mail log on my server (that runs sarge with postfix) ... I have about 500 attemps with different usernames and the same IP so i ... (Debian-User) Re: [SLE] mail bounced when on dialup ... There is no postfix listed there. ... You should look carefully at the mail log. ... > I am wary of messing up postfix (having never tinkered with it ... and your normal process a maildir. ... (SuSE) Re: script file for cropping mail log ... > I'm not much of a programmer and was just wondering if I could get some help ... I thought I could just move the file out of the directory and Postfix ... > sure which one is doing it) just keeps updating the mail log file, ... I don't want the mail log file to get too ... (alt.os.linux.suse)