OSDev.org

Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/

chase wrote:Just in case any of you have a system with remote ssh access setup I thought I'd share how frequently there are login attempts. The following list was started at the end of December using http://denyhosts.sourceforge.net/

Code: Select all

sshd: 209.67.233.120
sshd: 69.7.207.250
sshd: 91.194.84.41
sshd: 61.137.188.181
sshd: 213.85.255.223
sshd: 201.47.187.138
sshd: 218.75.172.172
sshd: 213.194.99.219
sshd: 60.251.166.130
sshd: 200.60.36.230
sshd: 202.65.218.5
sshd: 210.77.146.53
sshd: 125.22.251.138
sshd: 140.138.144.217
sshd: 58.196.13.14
sshd: 200.74.160.178
sshd: 211.171.245.154
sshd: 203.156.140.99
sshd: 210.154.182.227
sshd: 203.101.45.152
sshd: 64.212.184.218
sshd: 65.197.251.22
sshd: 218.8.52.7
sshd: 218.84.26.250
sshd: 200.107.251.34
sshd: 210.140.188.188
sshd: 85.14.180.2
sshd: 206.80.69.5
sshd: 202.106.62.21
sshd: 61.152.132.27
sshd: 203.117.89.75
sshd: 211.56.174.168
sshd: 89.185.228.138
sshd: 59.124.57.150
sshd: 82.49.209.27
sshd: 190.34.166.210
sshd: 132.216.35.26
sshd: 217.136.171.187
sshd: 58.213.125.25
sshd: 64.169.10.19
sshd: 58.222.11.2
sshd: 89.21.131.124
sshd: 61.206.120.4
sshd: 147.46.222.67
sshd: 201.232.149.179
sshd: 163.21.187.99
sshd: 64.76.19.236
sshd: 212.34.139.149
sshd: 216.177.130.50
sshd: 147.46.123.252
sshd: 61.108.210.11
sshd: 219.237.242.188
sshd: 200.42.227.44
sshd: 200.131.252.2
sshd: 66.236.248.139
sshd: 189.44.186.85
sshd: 203.188.159.61
sshd: 218.57.136.148
sshd: 202.213.211.16
sshd: 200.67.79.212
sshd: 192.192.12.73
sshd: 123.233.245.226
sshd: 210.176.56.52
sshd: 81.236.17.62
sshd: 24.102.40.249
sshd: 222.66.236.102
sshd: 70.38.38.72
sshd: 85.93.15.131
sshd: 117.28.224.71
sshd: 218.106.205.109
sshd: 222.92.30.12
sshd: 218.197.176.17
sshd: 122.128.96.6
sshd: 122.155.0.70
sshd: 190.12.46.214
sshd: 206.156.254.4
sshd: 222.237.79.139
sshd: 212.202.98.42
sshd: 70.99.70.46
sshd: 221.133.39.82
sshd: 218.16.239.244
sshd: 219.140.253.194
sshd: 211.174.180.4
sshd: 210.48.150.102
sshd: 200.30.136.146
sshd: 220.178.30.233
sshd: 118.69.211.2
sshd: 203.95.104.21
sshd: 65.38.111.171
sshd: 222.128.197.3
sshd: 210.69.31.130
sshd: 123.140.221.138
sshd: 203.248.34.48
sshd: 116.66.203.202
sshd: 60.31.211.194
sshd: 195.220.104.75
sshd: 221.238.193.71
sshd: 202.100.91.165
sshd: 203.187.161.42
sshd: 202.105.49.16
sshd: 122.193.4.115
sshd: 208.67.34.74
sshd: 88.191.25.32
sshd: 132.248.145.179
sshd: 210.18.82.151
sshd: 218.241.177.241
sshd: 163.27.236.2
sshd: 217.70.52.189
sshd: 122.193.4.5
sshd: 67.168.45.156
sshd: 216.16.72.43
sshd: 67.15.127.6
sshd: 62.58.108.127
sshd: 119.70.154.57
sshd: 203.130.1.84
sshd: 88.191.42.2
sshd: 59.185.104.218
sshd: 58.53.192.47
sshd: 208.68.193.51
sshd: 220.90.135.173
sshd: 58.253.67.58
sshd: 219.237.213.239
sshd: 118.143.232.21
sshd: 222.35.78.228
sshd: 202.117.3.100
sshd: 66.238.27.105
sshd: 72.3.142.4
sshd: 85.25.249.189
sshd: 217.133.71.145
sshd: 202.122.19.23
sshd: 68.15.205.76
sshd: 86.55.3.8
sshd: 201.245.179.115
sshd: 65.24.211.75
sshd: 219.246.112.241
sshd: 219.142.114.254
sshd: 60.18.147.45
sshd: 61.237.15.202
sshd: 201.116.169.43
sshd: 121.240.155.135
sshd: 218.60.34.8
sshd: 61.164.112.27
sshd: 83.15.104.4
sshd: 200.111.145.42
sshd: 125.93.184.74
sshd: 18.58.2.204
sshd: 124.207.150.66
sshd: 77.79.229.218
sshd: 88.191.75.232
sshd: 59.27.92.26
sshd: 67.91.202.81
sshd: 85.17.87.133
sshd: 218.22.67.123
sshd: 203.113.33.161
sshd: 213.30.139.75
sshd: 64.79.219.196
sshd: 60.217.234.152
sshd: 222.35.143.63
sshd: 221.7.151.133

Hi, chase, good to see you here .
at least i can't see the IP address start from the IP address range of my ISP .
maybe they are bots, or even botnets...

I'm pretty sure it's a botnet.

Looking at my auth.log, i see 120 login attempts within 15 minutes, with failed user names that most likely come from a dictionary (and that's just the first instance of it, my log is 600k lines, the majority describing dictionary attacks).

Good thing I keep strong passwords

Do you change the SSH port from the default? That's one of the first things I do when configuring a server - and I hardly ever get any login attempts.

Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.

What I do to secure SSH is not changing the port (which is a nuisance for authorized users as well) is, in /etc/ssh/sshd_config:
This means logins to root / postmaster / admin are automatically declined, and allowed users require a SSH Pubkey to log in. No problems with weak passwords and wordfile attacks anymore. The chances to correctly guess a pubkey in 3 attempts (before denyhosts kicks in) are astronomical...

Solar wrote:Actually I enjoy the idea of them *attempting* the login and ending up on the deny list.

Same here. Pity you can't let the attempted cracker know that you are aware of the attempts

This has got me concerned. Currently at home I just use a Vista laptop which is behind an NAT router and is only on when its in use. At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research

Cheers,
Adam

AJ wrote:At the weekend, though, I'm going to be attempting to set up my old computer as a gentoo-based SSH-accessed media player / SVN server / NAS and have no experience with linux security. Better do some research

• "hardened" profile
• Gentoo Security Handbook

Nice link, thanks. Gentoo does have some very nicely written documentation.

Cheers,
Adam

An exposed ssh server should not allow password authentication, public key only.

I disagree.

I good username/password combo with a strict failed password attempt maximum is very effective. Also, disallowing empty passwords and only allowing specific users to be able to be used will reduce attack effectiveness quite a bit.

I know it's security through obscurity, but changing the port does remove alot of annoying bot attempts from filling the logs.