|
|
#1
03.04.2006, 21:31
|
|
|
|
|
The last few days I've been watching someone (or possibly various people)
trying out a set of user names on my sshd port without success. The attacks appear to be automated. A "whois" lookup on the ip addresses shows different organisations in different countries. The question is is it worth e-mailing the contacts in the whois database or is that just a waste of time? |
|
|
|
#2
03.04.2006, 22:25
|
|
|
|
|
In uk.comp.os.linux, on Mon 03 April 2006 22:31, Geoffrey Clements
<bitbucket> wrote: > The last few days I've been watching someone (or possibly various > people) > trying out a set of user names on my sshd port without success. The > attacks appear to be automated. A "whois" lookup on the ip addresses > shows different organisations in different countries. > > The question is is it worth e-mailing the contacts in the whois > database or is that just a waste of time? > IME they do not respond |
|
#3
03.04.2006, 22:59
|
|
|
|
|
Geoffrey Clements wrote:
> The last few days I've been watching someone (or possibly various people) > trying out a set of user names on my sshd port without success. The > attacks appear to be automated. A "whois" lookup on the ip addresses shows > different organisations in different countries. > > The question is is it worth e-mailing the contacts in the whois database or > is that just a waste of time? > Depends. Yahoo seem to be fairly responsive to such complaints. So do some of the smaller American ISPs. |
|
#4
04.04.2006, 03:12
|
|
|
|
|
Geoffrey Clements <bitbucket> wrote:
> The last few days I've been watching someone (or possibly various people) > trying out a set of user names on my sshd port without success. The > attacks appear to be automated. A "whois" lookup on the ip addresses shows > different organisations in different countries. > > The question is is it worth e-mailing the contacts in the whois database or > is that just a waste of time? > I get two thousand or so a day on one machine been going up steadily for years. Occasionaly make the effort to moan if one annoys me particularly for some reason. Never had a response but have a go you may get lucky. |
|
#5
04.04.2006, 08:16
|
|
|
|
|
Geoffrey Clements wrote:
> The last few days I've been watching someone (or possibly various people) > trying out a set of user names on my sshd port without success. The > attacks appear to be automated. A "whois" lookup on the ip addresses shows > different organisations in different countries. > > The question is is it worth e-mailing the contacts in the whois database or > is that just a waste of time? Your best bet is to assume that the people you will email do not care and to automatically block the IP addresses of those trying: http://www.denyhosts.net |
|
#6
04.04.2006, 08:24
|
|
|
|
|
In article <44319424$0$1169$5a6aecb4>,
Geoffrey Clements <bitbucket> wrote: >The last few days I've been watching someone (or possibly various people) >trying out a set of user names on my sshd port without success. The >attacks appear to be automated. A "whois" lookup on the ip addresses shows >different organisations in different countries. > >The question is is it worth e-mailing the contacts in the whois database or >is that just a waste of time? Waste of time. If you can, firewall your server, unless you really do need to ssh in from all over the world. Build up a list of the names they are using and never have a login-name that's in that list. (My list is currently at [url down] 9500 names so-far, but I haven't updated it for a few weeks) Never ever ssh in from a public terminal - you never know what keylogging software, etc. might be running on it. Gordon |
|
#7
04.04.2006, 09:29
|
|
|
|
|
On Mon, 03 Apr 2006 22:31:15 +0100, Geoffrey Clements
<bitbucket> wrote: >The last few days I've been watching someone (or possibly various people) >trying out a set of user names on my sshd port without success. The >attacks appear to be automated. A "whois" lookup on the ip addresses shows >different organisations in different countries. No surprises there. >The question is is it worth e-mailing the contacts in the whois database or >is that just a waste of time? A waste of time. Your best bet is to put something on there to drop ssh connections once the shotgunner goes above a particular failure rate. There's a number of ways one can do this. greg |
|
#8
04.04.2006, 10:06
|
|
|
|
|
"Gordon Henderson" <gordon> wrote in message
news:fnl1 [..] > > Build up a list of the names they are using and never have a login-name > that's in that list. > > (My list is currently at [..] 9500 names so-far, > but I haven't updated it for a few weeks) > > Never ever ssh in from a public terminal - you never know what keylogging > software, etc. might be running on it. > ok, thanks for the advice everyone. Looking through my logs this has been going on since October - I'm glad I've used "strong" passwords and insisted that my users (i.e. family members) do the same even though they think I'm being ... well ... just geeky :-) |
|
#9
04.04.2006, 10:07
|
|
|
|
|
"Greg Hennessy" <me> wrote in message
news:hmnb > On Mon, 03 Apr 2006 22:31:15 +0100, Geoffrey Clements > <bitbucket> wrote: >> No surprises there. >> A waste of time. > > Your best bet is to put something on there to drop ssh connections once > the > shotgunner goes above a particular failure rate. There's a number of ways > one can do this. > Cheers Greg , any pointers? |
|
#10
04.04.2006, 10:56
|
|
|
|
|
Gordon Henderson wrote:
> Waste of time. If you can, firewall your server, unless you really do need > to ssh in from all over the world. Yeah, great. Then go for a weeks conference (abroad, with ample 'net access but different 'phone jacks so you can't just dialup your ISP) and curse yourself for locking yourself out. > Build up a list of the names they are using and never have a login-name > that's in that list. Even spammers are using random-looking lists. I just disable username/password login over ssh altogether, and use a ~/.ssh/authorized_keys. Saves having to memorise passwords, too. |
|
#11
04.04.2006, 10:59
|
|
|
|
|
On Tue, 4 Apr 2006 11:07:09 +0100, "Geoffrey Clements"
<geoffrey.clementsNO> wrote: > >"Greg Hennessy" <me> wrote in message >news:hmnb > >Cheers Greg , any pointers? Loads of options here http://www.digg.com/linux_unix/Preve...th_DenyHosts_2 Given most of my daily *nix exposure is now on the dark side :-), I use http://danger.rulez.sk/projects/bruteforceblocker/ which can be allegedly tweaked to use iptables. greg |
|
#12
04.04.2006, 11:11
|
|
|
|
|
On Tue, 4 Apr 2006 11:06:33 +0100, Geoffrey Clements wrote:
> ok, thanks for the advice everyone. Looking through my logs this has been > going on since October - I'm glad I've used "strong" passwords and insisted > that my users (i.e. family members) do the same even though they think I'm > being ... well ... just geeky :-) Something remarkably similar got me started on requiring valid ssh keys for login, and refusing passwords. |
|
#13
04.04.2006, 13:01
|
|
|
|
|
On 2006-04-04, Nick Kew <nick> wrote:
> Yeah, great. Then go for a weeks conference (abroad, with ample 'net > access but different 'phone jacks so you can't just dialup your ISP) > and curse yourself for locking yourself out. heh, done that :) > I just disable username/password login over ssh altogether, > and use a ~/.ssh/authorized_keys. Saves having to memorise > passwords, too. agreed, a "pub key only" setup makes me feel a lot safer: dictionary attacks just won't work. If the log entries are irritating, look at some dynamic solution that locks out IP addresses when they start attacking you. |
|
#14
04.04.2006, 13:05
|
|
|
|
|
"Nick Kew" <nick> wrote in message
news:8ln1 > Gordon Henderson wrote: >> Yeah, great. Then go for a weeks conference (abroad, with ample 'net > access but different 'phone jacks so you can't just dialup your ISP) > and curse yourself for locking yourself out. >> Even spammers are using random-looking lists. > > I just disable username/password login over ssh altogether, > and use a ~/.ssh/authorized_keys. Saves having to memorise > passwords, too. > ahhh ... I use authorised keys too but didn't realize (or had forgotten) that you could disable password logins, I know what I'm doing tonight! |
|
#15
04.04.2006, 13:08
|
|
|
|
|
"Greg Hennessy" <me> wrote in message
news:pjbc > On Tue, 4 Apr 2006 11:07:09 +0100, "Geoffrey Clements" > <geoffrey.clementsNO> wrote: >> > Loads of options here > > [..] >> Given most of my daily *nix exposure is now on the dark side :-), I use > > [..] > > which can be allegedly tweaked to use iptables. > oooo nice - ta very much1 |
|
|
|
|
| Similar Threads | |
| Knocking on Heaven's Door? KNOCKING ON HEAVEN'S DOOR [..] TWO STEPS FORWARD, TWO STEPS BACK, FOR EVER AND EVER It is better to travel hopefully than to arrive [..] Yeah I know... Mary Travers... |
|
| Who's knocking on t'door? (delurk) 'Tis me. I've been biding outside awhile, harkening to the cheery talk within. It feels the time has come to either move on, or knock on ye shed door and introduce myself... |
|
| And it’s easy to ignore till they’re knocking on the door of your homes [..] This has been on the cards for a little while but it now looks like the crazy bastards are actually going to do it: The government has been accused of trampling on... |
|
| Someone at the door...... Knock, knock. Hello. Anyone in here? I seek sanctuary. Erm.... I've brought chocolate. |
|
|
All times are GMT. The time now is 06:36. | Privacy Policy
|
Someone's knocking on my door