Re: Is this normal?

• Previous message: Jakub Głazik: "AIDA vs. Tripware vs. Tripwire commercial"
• In reply to: Erlend Lorentzen: "Is this normal?"
• Next in thread: Callan K L Tham: "Re: Is this normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Oct 2004 21:51:58 -0500
To: Erlend Lorentzen <er-lore@online.no>

More than likely this is just some script kiddie behavior. If you are
using safe passwords (you do use software to attempt to crack/guess
those passwords yourself, right?) the only worry is that some exploit
for sshd or another exposed program will come up before you patch it.
Consider your actual requirements for using sshd as this is a home
system where you could just walk over and log into the box directly.

If sshd is required be sure to block ports on your boxes behind this
one. Another relatively decent home network security tip is to turn
off systems that you are not using. Most of them do not need to be on,
and can be turned on overnight to apply updates as needed.

As for your other questions:

This is relatively normal methodology for a script kiddie login
attempt. If you were able to look at the usernames and passwords used
it would probably consist of a lot of root:$easytoguesspassword
entries. Sshd attacks are fairly uncommon in the windows ubiquitous
world of home networking.

You should not really be concerned. As long as you are using strong
passwords and keeping your software up to date everything should be
golden. Someone capable of more than just mindless login attempts
might be able to do some damage, but that is not what you are seeing
here.

Like I said earlier seriously consider disabling sshd, or at the least
limiting access from specific ranges. Ensure that you are not able to
remotely login as root. Use software like john the ripper to test your
passwords, and change them often. I don't know a whole lot about
linux, so I cannot give you any hardening/any other advice. Hope this
helps though.

-Adam

• Previous message: Jakub Głazik: "AIDA vs. Tripware vs. Tripwire commercial"
• In reply to: Erlend Lorentzen: "Is this normal?"
• Next in thread: Callan K L Tham: "Re: Is this normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Attempt to breakin ... >>2) Lock out direct root logins, require people to come in as a normal ... Nobody can guess passwords if sshd won't accept passwords ... >> off or add deny entries in hosts.allow to block access to sshd from ... (comp.os.linux.networking) RE: Login Attempt Limits ... > ranges of IP addresses access to your SSHD service by using IP spoofing, ... > servers are not requiring sufficiently random passwords for their uesrs. ... > Hence that option would not address the current attack patterns. ... (SSH) RE: Login Attempt Limits ... >> of the attempts come from hacked SSHD servers because the attempt ... > passwords from the ... >> Hence that option would not address the current attack patterns. ... (SSH) Re: Someones knocking on my door ... login, and refusing passwords. ... 'magic' email message. ... Once this message had arrived and sshd had been ... lot of decent terminal software in internet cafes). ... (uk.comp.os.linux) RE: Login Attempt Limits ... I had around 650 failed atttempts on the SSHD server from about 5 ... servers are not requiring sufficiently random passwords for their uesrs. ... Hence that option would not address the current attack patterns. ... and similarly a 5 bit reduction in the number of failed SSHD servers. ... (SSH)