Re: What's the strategy for bad guys guessing a few ssh passwords?

Sun, 11 Jun 2017 08:23:28 -0700 

On 06/11/2017 10:17 AM, Ted Roche wrote:
> For 36 hours now, one of my clients' servers has been logging ssh
> login attempts from around the world, low volume, persistent, but more
> frequent than usual. sshd is listening on a non-standard port, just to
> minimize the garbage in the logs.
> 
> A couple of attempts is normal; we've seen that for years. But this is
> several each  hour, and each hour an IP from a different country:
> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> 
> There's several levels of defense in use: firewalls, intrusion
> detection, log monitoring, etc, so each script gets a few guesses and
> the IP is then rejected.
> 
> In theory, the defenses should be sufficient, but I have a concern
> that I'm missing their strategy here. It's not a DDOS, they are very
> low volume. It will take them several millennia to guess enough
> dictionary attack guesses to get through, so what's the point?

Maybe they already have known-good passwords to go along with the usernames,
and they're guessing at *hosts* (or networks) where those combinations work?

Just over a decade ago, a friend who was doing sysadmin at a college
got involved in chasing down someone who had been worming his way
through college/university networks using that same general class
of strategy:

        1. find usernames+passwords for staff at an arbitrary university

        2. assume people with a network account at one university
           probably have accounts with the same username+password
           on systems at _other_ universities
          (because academics collaborate across institutional boundaries)

        3. grow the list hosts you can log into using #2

        4. assume that some of the systems you can now log into
           probably have vulnerabilities that allow you to find other
           known-good username+password pairs

        5. grow your list of username+password pairs using #4

        5. GOTO 1


If you already have a big network of attack-bots, then there's probably
no reason to even restrict the scope to universities.

-- 
Connect with me on the GNU social network: 
<https://status.hackerposse.com/rozzin>
Not on the network? Ask me for an invitation to the nhcrossing.com social hub!
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Reply via email to