too many illegal connection attempts through ssh

Joshua Tinnin krinklyfig at spymac.com
Wed Apr 6 07:29:46 PDT 2005 

On Wednesday 06 April 2005 06:58, Emanuel Strobl 
<emanuel.strobl at gmx.net> wrote:
> Am Mittwoch, 6. April 2005 12:07 schrieb Erik Nørgaard:
> > Edwin D. Vinas wrote:
> > > shown below is snapshot of too many illegal attempts to login to
> > > my server from a suspicious hacker. this is taken from the
> > > "/var/log/auth.log". my question is, how do i automatically block
> > > an IP address if it is attempting to guess my login usernames?
> > > can i configure the firewall to check the instances a certain IP
> > > has attempted to access/ssh the sevrer, and if it has failed to
> > > login for about "x" number of attempts, it will be blocked
> > > automatically?
> >
> > This question is asked on the list ever so often - see the archives
> > for suggestions. These are automated attacks, they come regularly
> > as crackers, black hats or script kidies scan across the net.
>
> Does anybody know what robots beeing used? And on what systems? All
> you mention later in your posting is true of course and I needn't
> care about these logs, but it's like like somebody unknown puts 10
> flyers in your letterbox every night. I'm sure, one night you'll hide
> and build a trap for that person. I'm too lazy to enter those
> net-circles for finding these robots, but maybe some other has
> already done that?

It's painfully easy to write a script which checks for the existence of 
ssh on all the IPs in an IP block, at least if all you're checking is 
port 22. A lot of these guys just write a bot which does that and sends 
the "live" IPs back to someone, either the originator or another bot, 
which then will do things like dictionary attack each one. You have 
tools in ports which can serve as the vehicle to do this - nmap is an 
oldie but a goodie. Don't misunderstand - it's also a security tool. 

This type of attack is pretty old, actually, it's just now more people 
are online on bigger pipes, so there are thousands (millions?) of 
zombied computers due to the more recent trojan horses and worms which 
are unwitting accomplices to this sort of thing. It's much harder to 
trace now. All you need is a bunch of zombies, maybe a proxy or three 
and an irc bot. You have a massive scanning machine with quite a bit of 
distributed computing power, which isn't easily traceable. The way to 
avoid it is to not be an obvious target, and not allow password logins 
at all.

- jt

More information about the freebsd-questions mailing list