Hacker activity?

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Oct 28 12:36:55 PDT 2004 

On Thu, Oct 28, 2004 at 01:13:14PM -0600, Steve Suhre wrote:

> Thanks. Right now I'm blocking 66.249.6*.* on the secure server for the cgi 
> script and haven't seen anything for a couple hours. The other intruder is 
> a little slicker and moves around quite a bit. My interest is in the 
> frequency, or lack thereof. Do they attack many sites at once, like spam, 
> hoping to hit on a server that has a dictionary password? Rather than pound 
> one server with all they've got? Distributed hacking? I can't think of 
> another reason why someone would even try to hack into a server by logging 
> in 50-100 times once or twice a week. You can't get root through anything 
> but the console and 50-100 attempts don't cover a lot of password ground on 
> the other accounts, most of which are locked down against shell access 
> anyway.... I'm not really concerned about the activity, it would take eons 
> to hack into anything this way. I'm wondering if there's something going on 
> that I don't know, maybe this is a smoke screen to divert attention from 
> the real threat? It doesn't make a lot of sense....

It's an automated attack -- just a script run by some kiddie that
searches the IP address space to find and break into Linux servers.
It finds systems that respond on port 22 and then tries to guess a
number of account/password combinations.  I believe the vast majority
of scans originate from the far east, as do the vast majority of
compromised boxes -- something to do with a Linux distro popular out
there that had a bunch of unsecured accounts in its default install.
It's neither efficient nor cleverly implemented.

If you've got good passwords in place for all your user accounts , or
you require people to use key based auth to log in, or you move the
port sshd listens on, then the scans won't be able to hurt you.
Switching to exclusive use of key based auth is what I'd choose --
once you've got the keys set up then it's not at all intrusive.  Plus
you can use the ssh-agent(1) to hold your keys in memory, which means
you don't have to keep reentering the pass phrase each time you ssh
into a new machine, even several hops away.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041028/da1fa5b8/attachment.bin

More information about the freebsd-questions mailing list