Re: [nlug] single ssh attack from multiple hosts

[Curt Lundgren]

That's a new twist, isn't it?  I wrote a Perl script a few years ago that
locks out an IP address if there are more than a few failed login attempts
within a minute.  The script temporarily adds entries to /etc/hosts.deny
which are removed about ten minutes later.  This attack wouldn't be detected
by that script.

What has gone really well for us at work is to change the SSH port to
something nonstandard.  The attacks have dropped to zero since that change.

Curt

On Thu, Jan 21, 2010 at 1:30 PM, Andrew Farnsworth <farn...@gmail.com>wrote:

> I am seeing a single coordinated ssh attack being initiated from multiple
> hosts.  Anyone else encountering this?
>
> Andy
>
> Log Excerpt:
>
> Jan 21 12:46:30 localhost sshd[3915]: Invalid user dina from 83.211.160.212
> Jan 21 12:46:54 localhost sshd[3923]: Invalid user dino from 222.68.197.241
> Jan 21 12:48:30 localhost sshd[3963]: Invalid user dio from 125.5.47.183
> Jan 21 12:49:07 localhost sshd[3977]: Invalid user director from
> 200.248.242.218
> Jan 21 12:50:58 localhost sshd[4007]: Invalid user display from
> 62.140.18.92
> Jan 21 12:51:28 localhost sshd[4015]: Invalid user dm from 190.136.177.21
> Jan 21 12:51:47 localhost sshd[4023]: Invalid user dmc from 201.148.0.71
> Jan 21 12:53:13 localhost sshd[4045]: Invalid user doc from 94.228.32.57
> Jan 21 12:53:38 localhost sshd[4053]: Invalid user dokumenty from
> 134.60.14.66
> Jan 21 12:54:40 localhost sshd[4061]: Invalid user domenico from
> 158.195.86.13
> Jan 21 12:55:11 localhost sshd[4069]: Invalid user dominik from
> 202.153.229.198
> Jan 21 12:55:33 localhost sshd[4098]: Invalid user domino from
> 190.136.177.209
> Jan 21 12:58:21 localhost sshd[4296]: Invalid user donna from 87.230.11.27
> Jan 21 12:58:43 localhost sshd[4305]: Invalid user donna from 94.23.224.113
> Jan 21 13:01:23 localhost sshd[4359]: Invalid user doug from 60.22.153.39
> Jan 21 13:02:50 localhost sshd[4418]: Invalid user douglas from
> 89.166.53.106
> Jan 21 13:03:15 localhost sshd[4427]: Invalid user dovecot from
> 187.16.225.134
> Jan 21 13:04:24 localhost sshd[4441]: Invalid user download from
> 200.248.242.218
> Jan 21 13:04:39 localhost sshd[4449]: Invalid user downloads from
> 85.25.150.147
> Jan 21 13:05:04 localhost sshd[4472]: Invalid user dr from 62.28.32.203
> Jan 21 13:07:17 localhost sshd[4494]: Invalid user dross from 200.215.0.223
> Jan 21 13:09:08 localhost sshd[4523]: Invalid user dsmith from
> 117.22.231.36
> Jan 21 13:09:51 localhost sshd[4531]: Invalid user dsp from 83.64.232.194
> Jan 21 13:10:17 localhost sshd[4556]: Invalid user dspam from 190.11.19.53
> Jan 21 13:10:37 localhost sshd[4572]: Invalid user dt from 201.3.145.91
> Jan 21 13:10:56 localhost sshd[4582]: Invalid user duane from
> 201.232.117.190
> Jan 21 13:12:04 localhost sshd[4604]: Invalid user dummy from
> 213.236.208.201
> Jan 21 13:12:26 localhost sshd[4612]: Invalid user dummy from 58.223.237.6
> Jan 21 13:12:50 localhost sshd[4621]: Invalid user dummy from 58.223.238.7
> Jan 21 13:14:13 localhost sshd[4641]: Invalid user eagle from 88.84.146.93
> Jan 21 13:14:37 localhost sshd[4649]: Invalid user ed from 193.77.149.217
> Jan 21 13:16:26 localhost sshd[4659]: Invalid user edith from
> 87.193.191.148
> Jan 21 13:16:50 localhost sshd[4667]: Invalid user edmund from 87.79.12.8
> Jan 21 13:17:55 localhost sshd[4679]: Invalid user edu from 88.80.206.31
> Jan 21 13:19:30 localhost sshd[4699]: Invalid user edwin from 60.19.28.28
> Jan 21 13:20:06 localhost sshd[4715]: Invalid user eee from 212.163.66.68
> Jan 21 13:20:38 localhost sshd[4733]: Invalid user egarcia from
> 89.96.140.154
> Jan 21 13:20:58 localhost sshd[4746]: Invalid user eggdrop from
> 213.136.124.35
> Jan 21 13:21:33 localhost sshd[4764]: Invalid user ejabberd from
> 207.250.220.196
> Jan 21 13:22:47 localhost sshd[4785]: Invalid user ela from 78.107.254.109
> Jan 21 13:23:49 localhost sshd[4799]: Invalid user elaine from
> 62.68.180.239
> Jan 21 13:24:15 localhost sshd[4807]: Invalid user elaine from 87.29.74.149
> Jan 21 13:26:01 localhost sshd[4849]: Invalid user eli from 89.179.240.203
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "NLUG" group.
> To post to this group, send email to nlug-talk@googlegroups.com
> To unsubscribe from this group, send email to
> nlug-talk+unsubscr...@googlegroups.com<nlug-talk%2bunsubscr...@googlegroups.com>
> For more options, visit this group at
> http://groups.google.com/group/nlug-talk?hl=en
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"NLUG" group.
To post to this group, send email to nlug-talk@googlegroups.com
To unsubscribe from this group, send email to 
nlug-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/nlug-talk?hl=en