I always wonder what they're trying to get. https://krebsonsecurity.com has lots of info on why they do it, what they do with it and how they make $$.
There's very few consequences to the attacker for "rattling the doorknob" compared to potential success. On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche <tedro...@gmail.com> wrote: > Thanks, all for the recommendations. I hadn't seen sshguard before; > I'll give that a try. > > I do have Fail2Ban in place, and have customized a number of scripts, > mostly for Apache (trying to invoke asp scripts on my LAMP server > results in instaban, for example) and it is what it reporting the ssh > login failures. > > I have always seen them, in the 10 years I've had this server running, > but the frequency, periodicity and international variety (usually > they're all China, Russian, Romania) seemed like there might be > something else going on. > > Be careful out there. > > On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski <mkomarin...@wayga.org> > wrote: > > sshguard is really good since it'll drop in a iptables rule to block an > IP > > address after a number of attemps (and prevent knocking on other ports > too). > > > > Yubikey as 2FA is pretty nice too. > > > > -------- Original message -------- > > From: Bruce Dawson <j...@codemeta.com> > > Date: 6/11/17 10:58 AM (GMT-05:00) > > To: gnhlug-discuss@mail.gnhlug.org > > Subject: Re: What's the strategy for bad guys guessing a few ssh > passwords? > > > > sshguard takes care of most of them (especially the high bandwidth ones). > > > > The black hats don't care - they're looking for vulnerable systems. If > > they find one, they'll exploit it (or not). > > > > Note that a while ago (more than a few years), comcast used to probe > > systems to see if they're vulnerable. Either they don't do that any > > more, or contract it out because I haven't see probes from any of their > > systems in years. This probably holds true for other ISPs, and various > > intelligence agencies in the world - both private and public, not to > > mention various disreputable enterprises. > > > > --Bruce > > > > > > On 06/11/2017 10:17 AM, Ted Roche wrote: > >> For 36 hours now, one of my clients' servers has been logging ssh > >> login attempts from around the world, low volume, persistent, but more > >> frequent than usual. sshd is listening on a non-standard port, just to > >> minimize the garbage in the logs. > >> > >> A couple of attempts is normal; we've seen that for years. But this is > >> several each hour, and each hour an IP from a different country: > >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany, > >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc. > >> > >> There's several levels of defense in use: firewalls, intrusion > >> detection, log monitoring, etc, so each script gets a few guesses and > >> the IP is then rejected. > >> > >> In theory, the defenses should be sufficient, but I have a concern > >> that I'm missing their strategy here. It's not a DDOS, they are very > >> low volume. It will take them several millennia to guess enough > >> dictionary attack guesses to get through, so what's the point? > >> > > > > _______________________________________________ > > gnhlug-discuss mailing list > > gnhlug-discuss@mail.gnhlug.org > > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > > > _______________________________________________ > > gnhlug-discuss mailing list > > gnhlug-discuss@mail.gnhlug.org > > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > > > > > -- > Ted Roche > Ted Roche & Associates, LLC > http://www.tedroche.com > _______________________________________________ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ >
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/