OT: password crackers

Toby Kelsey toby_kelsey at ntlworld.com
Wed Feb 8 06:41:30 UTC 2006 

(Off-topic as it's not Ubuntu-specific, but is relevant to Ubuntu users)
I've just realised there are current password cracking attempts against my home box (breezy).

On Feb 4th at 16:53 I installed openssh-server.
By 10:09 on the 5th I was receiving password-guessing attempts, which produce messages in auth.log like:

Feb  5 10:13:29 localhost sshd[23468]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=202.82.204.250  user=root
Feb  5 10:13:30 localhost sshd[23468]: Failed password for root from 202.82.204.250 port 1566 ssh2
Feb  5 10:13:33 localhost sshd[23470]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=202.82.204.250  user=root
Feb  5 10:13:35 localhost sshd[23470]: Failed password for root from 202.82.204.250 port 1656 ssh2
Feb  5 10:14:22 localhost sshd[23496]: Invalid user test from 202.82.204.250
Feb  5 10:14:32 localhost sshd[23500]: Invalid user admin from 202.82.204.250

Feb  8 06:01:55 localhost sshd[7280]: Failed password for root from 62.113.122.149 port 62900 ssh2
Feb  8 06:01:56 localhost sshd[7283]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=62.113.122.149  user=root

Some of the attempts are with alphabetically ordered usernames from a list,
others repeatedly try root.

The IPs and number of attempts up till now are:

200.222.105.27: 138
202.82.204.250: 1999
210.240.94.2: 59
211.115.81.91: 179
213.145.140.14: 5
218.24.139.109: 16
218.90.165.178: 60
222.235.28.7: 1052
62.113.122.149: 4570 (ongoing)
79.108.100-84.rev.gaoland.net: 41
84.100.108.79: 75
mail.gkps.hlc.edu.tw: 31
wap.ml.kg: 5

I'm worried an attempt might succeed on an automatically generated username.
The users with valid shells in /etc/passwd are:
root daemon bin sys sync games man lp mail news uucp proxy www-data
backup list irc gnats nobody toby zac fetchmail guest backuppc

I have locked passwords for guest, zac, backuppc, fetchmail
The passwords I have set myself (toby, root) are good.

Are any of the other usernames likely to have default or guessable passwords?

Many of the usernames seem unnecessary and may be the result of previous trial
packages installations.  Which ones are needed and can I track which packages
are responsible for which ones?  When packages are uninstalled is the password
for the relevant account locked?

Is this rate of attack fairly typical?

Is it worth trying to take action against the hosts involved?

Can I easily block specific hosts, or prevent repeated attempts from the same host?

I could just uninstall openssh-server, as I do not need it currently.

Toby

More information about the ubuntu-users mailing list