Chinese Kiddos with Broken Dicts?
Kurt Granroth
kurt+plug-discuss at granroth.com
Sat May 9 22:35:08 MST 2009
That seems... unlikely. I have had thousands of unique IPs hit some of
my hosts, many to never repeat after a round of attacks. The more
plausible route is that they have a botnet of pwned boxes numbering in
the hundreds of thousands and they just use them for random dictionary
attacks. Once the dictionary attack is done (completely failed), they
move on.
One lesson to learn from this, though, is to NEVER allow name+password
based logins over the Internet. If you open up port 22 to the world,
then make sure you restrict logins to SSH key only. Most importantly:
PasswordAuthentication no
If a million monkeys can write the works of Shakespeare, then a million
compromised zombies can eventually crack all of your passwords, too!
On 5/9/09 8:17 PM, Lisa Kachold wrote:
> Be afraid, very afraid!
>
> You must put that IP in your firewall!
>
> There's a good chance they already go in, if you didn't put in iptables
> brute force controls?
>
> On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> <tuna at supertunaman.com <mailto:tuna at supertunaman.com>> wrote:
>
> Helloes.
>
> Yes, another thread about the Chinese.
>
> Okayso over the past couple days I've been seeing things like this:
>
> /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from
> 200.111.157.187 port 51751
> /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive
> identification string from 200.111.157.187
>
> And then I don't hear from that ip ever again. What's going on here? Did
> the script that all those kiddies are using break? Should I be more
> concerned?
More information about the PLUG-discuss
mailing list