RE: [fw-wiz] SSH brute force attack

From: Paul Melson (pmelson_at_gmail.com)
Date: 06/30/05

  • Next message: noc ops: "[fw-wiz] Proxy - content filter related" 
    To: "'Toderick, Lee W'" <TODERICKL@MAIL.ECU.EDU>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 30 Jun 2005 11:57:39 -0400

    I can't identify the specific tool being used in your case, but SSH brute
    force scans have been showing up on my radar for a little over a year now.
    The users and passwords used seem to differ by attempt now and are getting
    more exhaustive. The earlier connection is probably a version grab used to
    determine whether or not there are other ways of exploiting your sshd either
    by compromising it directly or by using its authentication scheme to
    enumerate valid users.

    I would say that on average I see 3-4 of these a day, most from APNIC
    blocks. I've instituted password complexity requirements on the
    'recreational' systems, and simply don't allow SSH connections from the
    Internet on anything else. I've also never allowed root logins and all
    service uids like nobody or web get /nologin shells. Thus far, it's been
    enough to be lucky.

    PaulM

    -----Original Message-----
    Subject: [fw-wiz] SSH brute force attack

    Greetings!

    Our computers running SSH daemons have logged attacks. The attacks begin
    with a scan logged "Did not receive identification string from x.x.x.x",
    followed approximately 15 minutes later with "Illegal user " or " Failed
    password for root".

    Does anyone have information or documentation about this scan/attack?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: noc ops: "[fw-wiz] Proxy - content filter related"

    Relevant Pages

    • Re: Problem with firewall and SSH port forwarding
      ... CG> I'm trying to restrict access to my machine by restricting the IP ... CG> addresses from which outside ssh connections can be made. ... CG> The 'client' is trying to do the following:- ...
      (comp.security.ssh)
    • Re: Fedora 9 and Suse 11.0 ssh do not work together
      ... Ssh does not work between F9 and Suse 11.0. ... Ssh from F9 to OpenBSD works. ... blocking incoming SSH connections, but you should be getting the same ...
      (Fedora)
    • Re: first ssh, then start copying
      ... > MW> look at what files I have on a remote server, then exit, ... > (ssh, scp, sftp, etc.), and these programs do not cooperate to share ... So there's constant creation of new SSH connections, ... Hi Richard! ...
      (comp.security.ssh)
    • Re: who does session disconnects
      ... Are you asking if a SSH connection from a SSH client ... is your question then your answer is that the SSH client and SSH server ... must support SSH connections. ... Enter this command to perform a one time generation of RSA keys to be used ...
      (comp.dcom.sys.cisco)
    • Re: Using SSH over SSL
      ... > I'm wanting to do some performance tests using unencrypted SSH ... > connections over SSL Vs. SSH connections using the built in ciphers. ...
      (comp.security.ssh)