repeated ssh login attempts/failure/break-in attempts from kiddy script

Fri Mar 31 15:54:00 UTC 2006

--On Friday, March 31, 2006 08:42:30 -0500 Nathan Vidican 
<nvidican at wmptl.com> wrote:

> Noted recently in auth.log, a string of connection attempts
> repeated/failed over and over from one host - looks like a script
> someone's running, tries all kinds of various usernames, etc... attempts
> like 100-200 logins, fails and goes away.
>
> Few hours go by, and another such attempt, from a different IP comes in.
> If I'm here and just happen to notice them - simple ipfw add deny... does
> the trick, but is there not a way to limit the login attempts for a
> certain period of time?
>
Others have offered various solutions, but I think it's worth saying - when 
you connect to the internet, regardless of what OS or hardware you're 
running, you're going to be attacked 24/7.  That's the nature of the 
internet.  There's not a damn thing you can do about that.  If you have the 
option of moving services to odd ports, then that provides an easy 
solution.  Many people don't have that option.

However, by moving ssh to a different port, you aren't eliminating the 
problem - merely your knowledge of it.  The attacks are still taking place. 
The service is no longer listening there.  These attacks should be a 
warning to you.  ALL the services on your box are being attacked 24/7. 
There are no exceptions.

What can you do?

Keep your box patched ALWAYS.  OS is irrelevant.  They ALL get broken into. 
(You name the OS - I've seen one hacked - RedHat, Debian, Slackware, 
Solaris, Mac OS X, it doesn't matter.)

NEVER run ANY unnecessary services.  I haven't enabled inetd in so long I 
don't remember what's in it, but it's amazing how many boxes are still 
running chargen, rpc.statd and a host of other services that are completely 
unnecessary (not to mention that few even know what they do anymore.)

Restrict access to only those who should have access - by service and by 
needed access.

NEVER share your password with anyone, and use passwords that contain all 
four types of characters; lower case and upper case alpha, numeric and 
special.  An eight character random alpha password can be cracked in less 
than an hour on a modern computer, so encryption is not enough.

Don't run inherently insecurely designed daemons.  The first thing I do on 
every FreeBSD box I set up is disable sendmail and install postfix.

Run portaudit.  Then you'll know about vulnerabilities immediately, and you 
can portupgrade to fix the problem.

Run a firewall, if you can.  Incoming should be blocked by default except 
for allowed services.

Being secure and staying secure is your responsibility.

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/