RE: Chinese Kiddos with Broken Dicts?

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Bob Elzer
Date:  
To: 'Main PLUG discussion list'
Subject: RE: Chinese Kiddos with Broken Dicts?
Take a look at sshblack, it works very well for me.

http://www.pettingers.org/code/sshblack.html



-----Original Message-----
From:
[mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Kurt
Granroth
Sent: Saturday, May 09, 2009 10:35 PM
To: Main PLUG discussion list
Subject: Re: Chinese Kiddos with Broken Dicts?

That seems... unlikely. I have had thousands of unique IPs hit some of my
hosts, many to never repeat after a round of attacks. The more plausible
route is that they have a botnet of pwned boxes numbering in the hundreds of
thousands and they just use them for random dictionary attacks. Once the
dictionary attack is done (completely failed), they move on.

One lesson to learn from this, though, is to NEVER allow name+password based
logins over the Internet. If you open up port 22 to the world, then make
sure you restrict logins to SSH key only. Most importantly:

PasswordAuthentication no

If a million monkeys can write the works of Shakespeare, then a million
compromised zombies can eventually crack all of your passwords, too!

On 5/9/09 8:17 PM, Lisa Kachold wrote:
> Be afraid, very afraid!
>
> You must put that IP in your firewall!
>
> There's a good chance they already go in, if you didn't put in
> iptables brute force controls?
>
> On Sat, May 9, 2009 at 5:39 PM, Andrew "Tuna" Harris
> < <mailto:tuna@supertunaman.com>> wrote:
>
>     Helloes.

>
>     Yes, another thread about the Chinese.

>
>     Okayso over the past couple days I've been seeing things like this:

>
>     /var/log/messages:May  9 11:00:10 (none) sshd[688]: Connection from
>     200.111.157.187 port 51751
>     /var/log/messages:May  9 11:00:10 (none) sshd[688]: Did not receive
>     identification string from 200.111.157.187

>
>     And then I don't hear from that ip ever again. What's going on here?

Did
>     the script that all those kiddies are using break? Should I be more
>     concerned?

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss