On 06/11/2017 10:17 AM, Ted Roche wrote: > For 36 hours now, one of my clients' servers has been logging ssh > login attempts from around the world, low volume, persistent, but more > frequent than usual. sshd is listening on a non-standard port, just to > minimize the garbage in the logs. > > A couple of attempts is normal; we've seen that for years. But this is > several each hour, and each hour an IP from a different country: > Belgium, Korea, Switzerland, Bangladesh, France, China, Germany, > Dallas, Greece. Usernames vary: root, mythtv, rheal, etc. > > There's several levels of defense in use: firewalls, intrusion > detection, log monitoring, etc, so each script gets a few guesses and > the IP is then rejected. > > In theory, the defenses should be sufficient, but I have a concern > that I'm missing their strategy here. It's not a DDOS, they are very > low volume. It will take them several millennia to guess enough > dictionary attack guesses to get through, so what's the point?
Maybe they already have known-good passwords to go along with the usernames, and they're guessing at *hosts* (or networks) where those combinations work? Just over a decade ago, a friend who was doing sysadmin at a college got involved in chasing down someone who had been worming his way through college/university networks using that same general class of strategy: 1. find usernames+passwords for staff at an arbitrary university 2. assume people with a network account at one university probably have accounts with the same username+password on systems at _other_ universities (because academics collaborate across institutional boundaries) 3. grow the list hosts you can log into using #2 4. assume that some of the systems you can now log into probably have vulnerabilities that allow you to find other known-good username+password pairs 5. grow your list of username+password pairs using #4 5. GOTO 1 If you already have a big network of attack-bots, then there's probably no reason to even restrict the scope to universities. -- Connect with me on the GNU social network: <https://status.hackerposse.com/rozzin> Not on the network? Ask me for an invitation to the nhcrossing.com social hub! _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/