sshguard is really good since it'll drop in a iptables rule to block an IP address after a number of attemps (and prevent knocking on other ports too). Yubikey as 2FA is pretty nice too. -------- Original message --------From: Bruce Dawson <j...@codemeta.com> Date: 6/11/17 10:58 AM (GMT-05:00) To: gnhlug-discuss@mail.gnhlug.org Subject: Re: What's the strategy for bad guys guessing a few ssh passwords? sshguard takes care of most of them (especially the high bandwidth ones).
The black hats don't care - they're looking for vulnerable systems. If they find one, they'll exploit it (or not). Note that a while ago (more than a few years), comcast used to probe systems to see if they're vulnerable. Either they don't do that any more, or contract it out because I haven't see probes from any of their systems in years. This probably holds true for other ISPs, and various intelligence agencies in the world - both private and public, not to mention various disreputable enterprises. --Bruce On 06/11/2017 10:17 AM, Ted Roche wrote: > For 36 hours now, one of my clients' servers has been logging ssh > login attempts from around the world, low volume, persistent, but more > frequent than usual. sshd is listening on a non-standard port, just to > minimize the garbage in the logs. > > A couple of attempts is normal; we've seen that for years. But this is > several each hour, and each hour an IP from a different country: > Belgium, Korea, Switzerland, Bangladesh, France, China, Germany, > Dallas, Greece. Usernames vary: root, mythtv, rheal, etc. > > There's several levels of defense in use: firewalls, intrusion > detection, log monitoring, etc, so each script gets a few guesses and > the IP is then rejected. > > In theory, the defenses should be sufficient, but I have a concern > that I'm missing their strategy here. It's not a DDOS, they are very > low volume. It will take them several millennia to guess enough > dictionary attack guesses to get through, so what's the point? > _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/