Re: Dictionary attacks on port 22
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sun, 26 Feb 2006 18:14:17 -0600
On Sat, 25 Feb 2006, in the Usenet newsgroup comp.os.linux.security, in article
<87r75qubcl.fsf@xxxxxxxxxxx>, Harry Putnam wrote:
ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) writes:
First Last IP hits
Feb 18 08:30:47 <> Feb 18 09:50:39 200.88.113.25 5283
Feb 22 08:11:51 <> Feb 22 08:49:29 217.71.210.152 2372
Feb 17 19:42:11 <> Feb 21 18:15:19 220.119.33.251 1365
Feb 18 01:49:01 <> Feb 18 02:42:19 194.146.224.92 1270
Feb 20 22:58:07 <> Feb 20 23:22:34 220.158.24.21 876
Feb 22 05:01:32 <> Feb 22 05:43:41 220.232.149.165 570
Just looking at the first six, they smell strongly of zombie - perhaps
a windoze box someone found that the owner left wide open.
Can you explain that? Are basing it on number of hits? IP? ... what?
IP. Your first, 200.88.113.25, is 25sosua113.codetel.net.do in the
Dominican Republic. Codetel has a fairly poor reputation for abuse
problems. The address implies a home system though at the moment I can't
reach it. Host number two is valerian-152.210.71.217.zonepro-serveurs.net
in France. This appears to be a hosting service. Host 3 doesn't resolve, but
is in a block allocated to Korea Telcon, suballocated to another hosting
service though I can't read the Hanguil. Kortel seems to feel that there
is no need to configure PTR records (it's only a "SHOULD" on the APNIC
policy document as recommended in RFC2050). A lot of people feel this is
reason to block such IP space. Host 4 is sd204.sivit.org - yet another
hosting service in France. Interestingly, when I connect to this site, I
get forwarded on to the www.google.com login page. Host 5 is a dynamic
address in Japan s21.ItokyoFL116.vectant.ne.jp running an incompletely
configured version of Apache on Linux, while host 6 is at our dear friends
(NOT!) at pacific.net.hk whose users seem to delight in running zombies.
The later block (like the 217.116.0.0/14 and 217.120.0.0/13 blocks from
Kortel) is in fact blackholed here for that very reason so I can't comment
on the individual host. Using another ISP, I find (as usual) the klowns at
pacific.net.hk haven't figured how to set up DNS either.
Sounded like you think those six are coming from a single machine?
No, not on three continents. The possibility that they are controlled by
the same individual is low, though not impossible. The fact that they
seem to all decided to attempt to dictionary attack you might be related,
but that's pushing the indications pretty hard.
Must be nice to live in a quiet part of the Internet. ;-)
How man dictionary attack type hits do you see in a day?
None. My ssh server doesn't run on a low port, and the chance of anyone
even finding it is quite poor, never mind seeing repeat attempts. Also,
I only accept connections to that server from a VERY limited list of IP
addresses. On the other hand, I see quite a large number of connection
_attempts_ to port 22 on my public address - typically about a thousand
a day. That's why I no longer have a server there, and don't bother even
logging the attempts.
Old guy
.
- References:
- Dictionary attacks on port 22
- From: Harry Putnam
- Re: Dictionary attacks on port 22
- From: Harry Putnam
- Re: Dictionary attacks on port 22
- From: Grant
- Re: Dictionary attacks on port 22
- From: Harry Putnam
- Re: Dictionary attacks on port 22
- From: Moe Trin
- Re: Dictionary attacks on port 22
- From: Harry Putnam
- Dictionary attacks on port 22
- Prev by Date: Re: pop3 through ssh tunneling
- Next by Date: Re: What can I do about breakin attempts?
- Previous by thread: Re: Dictionary attacks on port 22
- Next by thread: Re: Dictionary attacks on port 22
- Index(es):
Relevant Pages
|
