Re: using PubkeyAuthentication, still getting dictionary attacks!



Nomen Nescio <nobody@xxxxxxxxx> writes:

I used to run my ssh server on a high port no. to avoid the dictionary
attacks. It worked quite well but I've had to go back to good ol' port
22 because I've been plugging laptop into networks with *crazy*
restrictions like blocking huge ranges of client ports except for
specific services.

So I've changed the server config to allow PubkeyAuthentication only,
and that's working fine, BUT the dictionary attacks are still
coming. (See below for the sort of stuff I mean, in syslog.)

AIUI, dictionary attacks on PubkeyAuthentication are hopeless, and I'm
surprised the attacking "clients" try it. Am I right? Why do they keep
trying? Anything else I can/should do?

Do you thinkthat there is a human being behind those attacks, trying all
the passwords? It is a program. which is launched from someone else's
computer.

You could just put that IP address into /etc/hosts.allow with a deny tag
for ssh.
sshd: 24.148.29.250:deny


Thanks!



Invalid user webmaster from 24.148.29.250
Invalid user ftp from 24.148.29.250
Invalid user sales from 24.148.29.250
Invalid user admin from 24.148.29.250
Invalid user andrea from 24.148.29.250
Invalid user guest from 24.148.29.250
Invalid user guest1 from 24.148.29.250
Invalid user guest2 from 24.148.29.250
Invalid user guest3 from 24.148.29.250
Invalid user guest4 from 24.148.29.250
Invalid user guest5 from 24.148.29.250
Invalid user guest6 from 24.148.29.250
Invalid user guest7 from 24.148.29.250
Invalid user guest8 from 24.148.29.250
Invalid user guest9 from 24.148.29.250

.



Relevant Pages

  • Re: SSH bruteforce on its way...
    ... I like the OSSEC HIDS ), ... because it does log analysis, ... Invalid user rwa from x.x.x.x ... > evidence of existing timing attacks against openssh. ...
    (Incidents)
  • using PubkeyAuthentication, still getting dictionary attacks!
    ... I used to run my ssh server on a high port no. to avoid the dictionary ... BUT the dictionary attacks are still ... Invalid user webmaster from 24.148.29.250 ...
    (comp.security.ssh)
  • SSH server under attack...
    ... OK...within a few hours the server was being attacked again on port 2222. ... The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. ... I scanned the machine and found that it is hosting a webserver Server at www.springs.cl) among other services. ... Invalid user admin from::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port ...
    (Security-Basics)
  • Re: SSH server under attack...
    ... It's highly possible that even though you changed the port, an automated script discovered the new port by probing the ports and matching version numbers, ie: ... the new machine to attack me is 200.55.192.29. ... Failed password for invalid user admin from::ffff:200.55.192.29 port ...
    (Security-Basics)
  • Re: SSH server under attack...
    ... It's highly possible that even though you changed the port, an automated script discovered the new port by probing the ports ... The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. ... Invalid user admin from::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port ...
    (Security-Basics)