Hi Miriam - I have not attempted any type of automated blocking, as the attack profile appears to not present a threat to systems with reasonably good passwords. (I'm being a little lax about this, I realize).
What I have seen, in terms of the sources, intensity, and frequency of the attempts, matches what you reported - where the attempts come from varies every time, the number of different accounts that each attempt goes after varies greatly, and while I may see attempts from two different source IP addresses on one night, it may then be several days before I see any other attempts at all. I therefore agree that it does not appear to be any kind of widespread worm/virus, but instead manually launched. I guess that the targeting (what IP address[es] the attempts are made against) is random. Thanks -Jay > Message: 17 > Date: Sun, 24 Oct 2004 09:43:17 +0800 > From: Miriam Chan <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Re: Any update on SSH brute force attempts? > > Jay Libove wrote: > > Recently, a couple of times a week, I see repeats of this which now have > > as many as fifty different accounts being attacked. (Almost none of which > > exist on my server, and none of which will have common passwords > > thankyouverymuch). > > By the way, I started to suspect that the attacks were intentional (not just > some games by some script kiddies.) I had some servers accepting SSH > connections from anywhere (this is for easy access, and I know it is not > a very good idea.) > > Before I set up a Portsentry-like mechanism to block the bad hosts, I got at > least 5-6 attempts per day. Afterward, I got nearly none (just some 1-2 > attempts a day.) The change looks simply too much for me. If I got some > number of attacks a day, I would expect the same number of attacks the next > day if the attackes were automatically done by some virus/worms. I wished that > it was done by some virus, because (I think) a virus is not more malicious > than a planned cracking behaviour. > > Do anyone have the same observations as me ? It should be great if you saw > it and shared your ideas. > > Miriam. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
