Tar pitting automated attacks

Mike Galvez hoosyerdaddy at virginia.edu
Tue Sep 7 06:43:24 PDT 2004 

I am seeing a lot of automated attacks lately against sshd such as:

Sep  6 12:16:24 www sshd[29888]: Failed password for root from 159.134.244.189 port 3723 ssh2
Sep  6 12:16:25 www sshd[29889]: Failed password for illegal user webmaster from 159.134.244.189 port 3749 ssh2
Sep  6 12:16:26 www sshd[29890]: Failed password for illegal user data from 159.134.244.189 port 3771 ssh2
Sep  6 12:16:27 www sshd[29891]: Failed password for illegal user user from 159.134.244.189 port 3800 ssh2
Sep  6 12:16:28 www sshd[29892]: Failed password for illegal user user from 159.134.244.189 port 3824 ssh2
Sep  6 12:16:29 www sshd[29893]: Failed password for illegal user user from 159.134.244.189 port 3847 ssh2
Sep  6 12:16:31 www sshd[29894]: Failed password for illegal user web from 159.134.244.189 port 3872 ssh2
Sep  6 12:16:32 www sshd[29895]: Failed password for illegal user web from 159.134.244.189 port 3893 ssh2
Sep  6 12:16:33 www sshd[29896]: Failed password for illegal user oracle from 159.134.244.189 port 3918 ssh2
Sep  6 12:16:34 www sshd[29897]: Failed password for illegal user sybase from 159.134.244.189 port 3938 ssh2
Sep  6 12:16:36 www sshd[29898]: Failed password for illegal user master from 159.134.244.189 port 3976 ssh2
Sep  6 12:16:37 www sshd[29899]: Failed password for illegal user account from 159.134.244.189 port 4006 ssh2
Sep  6 12:16:38 www sshd[29900]: Failed password for illegal user backup from 159.134.244.189 port 4022 ssh2
Sep  6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2
Sep  6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2
Sep  6 12:16:42 www sshd[29903]: Failed password for illegal user alan from 159.134.244.189 port 4104 ssh2
Sep  6 12:16:43 www sshd[29904]: Failed password for illegal user frank from 159.134.244.189 port 4131 ssh2
Sep  6 12:16:44 www sshd[29905]: Failed password for illegal user george from 159.134.244.189 port 4152 ssh2
Sep  6 12:16:45 www sshd[29906]: Failed password for illegal user henry from 159.134.244.189 port 4175 ssh2
-- snip --
Some of these go on until they turn the logs over.

Is there a method to make this more expensive to the attacker, such as tar-pitting?

Thanks

	-Mike

-- 
Mike Galvez                                             
Information Technology Specialist	    E-Mail: mrg8n AT virginia.edu

More information about the freebsd-questions mailing list