OT: password crackers

Zach uid000 at gmail.com
Wed Feb 8 11:46:05 UTC 2006 

There was actually an article about this in the last year.
http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/
This isn't actually "password cracking".  These are automated scripts
that sniff around for machines running ssh then go through a
dictionary of usernames and passwords.

It's extremely common, and the threat level is fairly low.  I
generally see a few thousand attempts per month.  If you've got strong
passwords, ie, 9+ characters, uppercase, lowercase, number, special
characters, it's not that much to worry about.

A couple of suggestions:
Are you behind a NAT router?  If not you should be, if this is a home network.
If you are behind a NAT, do you need to ssh in from outside your
network?  If not, then don't forward the ssh port (22) internally.
If you do need to shell in from outside, then using an altnernate
port.  You can do this one of two ways.  If your nat supports port
redirection, then redirect an alternate port (say 2020) to port 22 of
your ssh server.  Or you can configure your ssh server to listen on an
alternate port.  See /etc/sshd_config.  Then just connect using the -p
option to specify the port.

You could also configure your ssh server to not accept password
authentication and to only use ssh keys.

If you get your ipa address from your isp via dhcp, you could refresh
your lease every so often.  Many isps give a different ip address each
time you connect.  So power cycle the router or re-initiate your pppoe
(if you're on dsl).

Just a few suggestions.

On 2/8/06, Toby Kelsey <toby_kelsey at ntlworld.com> wrote:
> (Off-topic as it's not Ubuntu-specific, but is relevant to Ubuntu users)
> I've just realised there are current password cracking attempts against my home box (breezy).
>
> On Feb 4th at 16:53 I installed openssh-server.
> By 10:09 on the 5th I was receiving password-guessing attempts, which produce messages in auth.log like:
>
> Feb  5 10:13:29 localhost sshd[23468]: (pam_unix) authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=202.82.204.250  user=root
> Feb  5 10:13:30 localhost sshd[23468]: Failed password for root from 202.82.204.250 port 1566 ssh2
> Feb  5 10:13:33 localhost sshd[23470]: (pam_unix) authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=202.82.204.250  user=root
> Feb  5 10:13:35 localhost sshd[23470]: Failed password for root from 202.82.204.250 port 1656 ssh2
> Feb  5 10:14:22 localhost sshd[23496]: Invalid user test from 202.82.204.250
> Feb  5 10:14:32 localhost sshd[23500]: Invalid user admin from 202.82.204.250
>
> Feb  8 06:01:55 localhost sshd[7280]: Failed password for root from 62.113.122.149 port 62900 ssh2
> Feb  8 06:01:56 localhost sshd[7283]: (pam_unix) authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=62.113.122.149  user=root
>
> Some of the attempts are with alphabetically ordered usernames from a list,
> others repeatedly try root.
>
> The IPs and number of attempts up till now are:
>
> 200.222.105.27: 138
> 202.82.204.250: 1999
> 210.240.94.2: 59
> 211.115.81.91: 179
> 213.145.140.14: 5
> 218.24.139.109: 16
> 218.90.165.178: 60
> 222.235.28.7: 1052
> 62.113.122.149: 4570 (ongoing)
> 79.108.100-84.rev.gaoland.net: 41
> 84.100.108.79: 75
> mail.gkps.hlc.edu.tw: 31
> wap.ml.kg: 5
>
> I'm worried an attempt might succeed on an automatically generated username.
> The users with valid shells in /etc/passwd are:
> root daemon bin sys sync games man lp mail news uucp proxy www-data
> backup list irc gnats nobody toby zac fetchmail guest backuppc
>
> I have locked passwords for guest, zac, backuppc, fetchmail
> The passwords I have set myself (toby, root) are good.
>
> Are any of the other usernames likely to have default or guessable passwords?
>
> Many of the usernames seem unnecessary and may be the result of previous trial
> packages installations.  Which ones are needed and can I track which packages
> are responsible for which ones?  When packages are uninstalled is the password
> for the relevant account locked?
>
> Is this rate of attack fairly typical?
>
> Is it worth trying to take action against the hosts involved?
>
> Can I easily block specific hosts, or prevent repeated attempts from the same host?
>
> I could just uninstall openssh-server, as I do not need it currently.
>
> Toby
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>


--
If you reply to a message I posted to a mailing list,
and you want me to see your reply, be sure to put my
address in the 'To:', or I might not see the message.

More information about the ubuntu-users mailing list