Re: Chinese Kiddos with Broken Dicts?

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Kurt Granroth
Date:  
To: Main PLUG discussion list
Subject: Re: Chinese Kiddos with Broken Dicts?
That seems... unlikely. I have had thousands of unique IPs hit some of
my hosts, many to never repeat after a round of attacks. The more
plausible route is that they have a botnet of pwned boxes numbering in
the hundreds of thousands and they just use them for random dictionary
attacks. Once the dictionary attack is done (completely failed), they
move on.

One lesson to learn from this, though, is to NEVER allow name+password
based logins over the Internet. If you open up port 22 to the world,
then make sure you restrict logins to SSH key only. Most importantly:

PasswordAuthentication no

If a million monkeys can write the works of Shakespeare, then a million
compromised zombies can eventually crack all of your passwords, too!

On 5/9/09 8:17 PM, Lisa Kachold wrote:
> Be afraid, very afraid!
>
> You must put that IP in your firewall!
>
> There's a good chance they already go in, if you didn't put in iptables
> brute force controls?
>
> On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> < <mailto:tuna@supertunaman.com>> wrote:
>
>     Helloes.

>
>     Yes, another thread about the Chinese.

>
>     Okayso over the past couple days I've been seeing things like this:

>
>     /var/log/messages:May  9 11:00:10 (none) sshd[688]: Connection from
>     200.111.157.187 port 51751
>     /var/log/messages:May  9 11:00:10 (none) sshd[688]: Did not receive
>     identification string from 200.111.157.187

>
>     And then I don't hear from that ip ever again. What's going on here? Did
>     the script that all those kiddies are using break? Should I be more
>     concerned?

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss