Chinese Kiddos with Broken Dicts?
Bob Elzer
bob.elzer at gmail.com
Sun May 10 15:56:21 MST 2009
Take a look at sshblack, it works very well for me.
http://www.pettingers.org/code/sshblack.html
-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Kurt
Granroth
Sent: Saturday, May 09, 2009 10:35 PM
To: Main PLUG discussion list
Subject: Re: Chinese Kiddos with Broken Dicts?
That seems... unlikely. I have had thousands of unique IPs hit some of my
hosts, many to never repeat after a round of attacks. The more plausible
route is that they have a botnet of pwned boxes numbering in the hundreds of
thousands and they just use them for random dictionary attacks. Once the
dictionary attack is done (completely failed), they move on.
One lesson to learn from this, though, is to NEVER allow name+password based
logins over the Internet. If you open up port 22 to the world, then make
sure you restrict logins to SSH key only. Most importantly:
PasswordAuthentication no
If a million monkeys can write the works of Shakespeare, then a million
compromised zombies can eventually crack all of your passwords, too!
On 5/9/09 8:17 PM, Lisa Kachold wrote:
> Be afraid, very afraid!
>
> You must put that IP in your firewall!
>
> There's a good chance they already go in, if you didn't put in
> iptables brute force controls?
>
> On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> <tuna at supertunaman.com <mailto:tuna at supertunaman.com>> wrote:
>
> Helloes.
>
> Yes, another thread about the Chinese.
>
> Okayso over the past couple days I've been seeing things like this:
>
> /var/log/messages:May 9 11:00:10 (none) sshd[688]: Connection from
> 200.111.157.187 port 51751
> /var/log/messages:May 9 11:00:10 (none) sshd[688]: Did not receive
> identification string from 200.111.157.187
>
> And then I don't hear from that ip ever again. What's going on here?
Did
> the script that all those kiddies are using break? Should I be more
> concerned?
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list