Re: What's the strategy for bad guys guessing a few ssh passwords?

[Greg Rundlett (freephile)]

On Mon, Jun 12, 2017 at 4:00 PM, Ted Roche  wrote:

> On Mon, Jun 12, 2017 at 1:15 PM, Tom Buskey  wrote:
> > As Ted said in the 2nd sentence, it's running on a non-standard port.
> Yes,
> > it helps lot to reduce garbage in the logs.
> >
> > Maybe it's not non-standard enough?
> >
>
> Whadyamean? I'm using the same non-standard port everyone else does!
>
> Oh...
>
>
> : ?

~ Greg who is still on port 22 and uses fail2ban
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: What's the strategy for bad guys guessing a few ssh passwords?

[Ted Roche]

On Mon, Jun 12, 2017 at 1:15 PM, Tom Buskey  wrote:
> As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes,
> it helps lot to reduce garbage in the logs.
>
> Maybe it's not non-standard enough?
>

Whadyamean? I'm using the same non-standard port everyone else does!

Oh...



-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: What's the strategy for bad guys guessing a few ssh passwords?

[Dan Coutu]

Insisting on the use of an ssh key instead of login credentials also helps a 
lot.

Dan

> On Jun 12, 2017, at 13:15, Tom Buskey  wrote:
> 
> As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes, 
> it helps lot to reduce garbage in the logs.
> 
> Maybe it's not non-standard enough?
> 
> sshguard looks interesting.  Thanks!
> 
> On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson  > wrote:
> I have to second this suggestion - changing the port did wonders for our 
> servers. Of course, as Dan says, it works for script kiddies, not so much 
> against a determined attack on your server.
> 
> --Bruce
> 
> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
>> If you can change the port number it does wonders against the script kiddies.
>> 
>> Just remember to add the new port, restart sshd, then remove the old port.  
>> :)
>> 
>> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche > > wrote:
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>> 
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>> 
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>> 
>> Be careful out there.
>> 
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski > > wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an IP
>> > address after a number of attemps (and prevent knocking on other ports 
>> > too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> >  Original message 
>> > From: Bruce Dawson >
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss@mail.gnhlug.org 
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org 
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ 
>> > 
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org 
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ 
>> > 
>> >
>> 
>> 
>> 
>> --
>> Ted Roche
>> Ted Roche & Associates, LLC
>> http://www.tedroche.com 
>> ___
>> gnhlug-discuss mailing list
>> gnhlug-discuss@mail.gnhlug.org 
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ 
>> 

Fwd: What's the strategy for bad guys guessing a few ssh passwords?

[Ted Roche]

Agreed. However, now that the kiddies have bot armies of millions of
machines, they just scan all the ports. I've been running non-standard
ports on most servers, and I am seeing similar traffic on many of the
machines (with unrelated domains, IP ranges, geography, CIDRs and
ISPs) makes me think they're approaching 100% coverage.

On Mon, Jun 12, 2017 at 9:59 AM, Dan Garthwaite  wrote:
> If you can change the port number it does wonders against the script
> kiddies.
>
> Just remember to add the new port, restart sshd, then remove the old port.
> :)
>
> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:
>>
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>>
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>>
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>>
>> Be careful out there.
>>
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
>> wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an
>> > IP
>> > address after a number of attemps (and prevent knocking on other ports
>> > too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> >  Original message 
>> > From: Bruce Dawson 
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss@mail.gnhlug.org
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh
>> > passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth
>> > ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>>
>>
>>
>> --
>> Ted Roche
>> Ted Roche & Associates, LLC
>> http://www.tedroche.com
>> ___
>> gnhlug-discuss mailing list
>> gnhlug-discuss@mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>



--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com


-- 
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: What's the strategy for bad guys guessing a few ssh passwords?

[Tom Buskey]

As Ted said in the 2nd sentence, it's running on a non-standard port.  Yes,
it helps lot to reduce garbage in the logs.

Maybe it's not non-standard enough?

sshguard looks interesting.  Thanks!

On Mon, Jun 12, 2017 at 12:42 PM, Bruce Dawson  wrote:

> I have to second this suggestion - changing the port did wonders for our
> servers. Of course, as Dan says, it works for script kiddies, not so much
> against a determined attack on your server.
>
> --Bruce
>
> On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
>
> If you can change the port number it does wonders against the script
> kiddies.
>
> Just remember to add the new port, restart sshd, then remove the old port.
>  :)
>
> On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:
>
>> Thanks, all for the recommendations. I hadn't seen sshguard before;
>> I'll give that a try.
>>
>> I do have Fail2Ban in place, and have customized a number of scripts,
>> mostly for Apache (trying to invoke asp scripts on my LAMP server
>> results in instaban, for example) and it is what it reporting the ssh
>> login failures.
>>
>> I have always seen them, in the 10 years I've had this server running,
>> but the frequency, periodicity and international variety (usually
>> they're all China, Russian, Romania) seemed like there might be
>> something else going on.
>>
>> Be careful out there.
>>
>> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
>> wrote:
>> > sshguard is really good since it'll drop in a iptables rule to block an
>> IP
>> > address after a number of attemps (and prevent knocking on other ports
>> too).
>> >
>> > Yubikey as 2FA is pretty nice too.
>> >
>> >  Original message 
>> > From: Bruce Dawson 
>> > Date: 6/11/17 10:58 AM (GMT-05:00)
>> > To: gnhlug-discuss@mail.gnhlug.org
>> > Subject: Re: What's the strategy for bad guys guessing a few ssh
>> passwords?
>> >
>> > sshguard takes care of most of them (especially the high bandwidth
>> ones).
>> >
>> > The black hats don't care - they're looking for vulnerable systems. If
>> > they find one, they'll exploit it (or not).
>> >
>> > Note that a while ago (more than a few years), comcast used to probe
>> > systems to see if they're vulnerable. Either they don't do that any
>> > more, or contract it out because I haven't see probes from any of their
>> > systems in years. This probably holds true for other ISPs, and various
>> > intelligence agencies in the world - both private and public, not to
>> > mention various disreputable enterprises.
>> >
>> > --Bruce
>> >
>> >
>> > On 06/11/2017 10:17 AM, Ted Roche wrote:
>> >> For 36 hours now, one of my clients' servers has been logging ssh
>> >> login attempts from around the world, low volume, persistent, but more
>> >> frequent than usual. sshd is listening on a non-standard port, just to
>> >> minimize the garbage in the logs.
>> >>
>> >> A couple of attempts is normal; we've seen that for years. But this is
>> >> several each  hour, and each hour an IP from a different country:
>> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>> >>
>> >> There's several levels of defense in use: firewalls, intrusion
>> >> detection, log monitoring, etc, so each script gets a few guesses and
>> >> the IP is then rejected.
>> >>
>> >> In theory, the defenses should be sufficient, but I have a concern
>> >> that I'm missing their strategy here. It's not a DDOS, they are very
>> >> low volume. It will take them several millennia to guess enough
>> >> dictionary attack guesses to get through, so what's the point?
>> >>
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>> > ___
>> > gnhlug-discuss mailing list
>> > gnhlug-discuss@mail.gnhlug.org
>> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>> >
>>
>>
>>
>> --
>> Ted Roche
>> Ted Roche & Associates, LLC
>> http://www.tedroche.com
>> ___
>> gnhlug-discuss mailing list
>> gnhlug-discuss@mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>>
>
>
>
> ___
> gnhlug-discuss mailing 
> listgnhlug-discuss@mail.gnhlug.orghttp://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: What's the strategy for bad guys guessing a few ssh passwords?

[Bruce Dawson]

I have to second this suggestion - changing the port did wonders for our 
servers. Of course, as Dan says, it works for script kiddies, not so 
much against a determined attack on your server.


--Bruce


On 06/12/2017 09:59 AM, Dan Garthwaite wrote:
If you can change the port number it does wonders against the script 
kiddies.


Just remember to add the new port, restart sshd, then remove the old 
port.  :)


On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche > wrote:


Thanks, all for the recommendations. I hadn't seen sshguard before;
I'll give that a try.

I do have Fail2Ban in place, and have customized a number of scripts,
mostly for Apache (trying to invoke asp scripts on my LAMP server
results in instaban, for example) and it is what it reporting the ssh
login failures.

I have always seen them, in the 10 years I've had this server running,
but the frequency, periodicity and international variety (usually
they're all China, Russian, Romania) seemed like there might be
something else going on.

Be careful out there.

On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski
> wrote:
> sshguard is really good since it'll drop in a iptables rule to
block an IP
> address after a number of attemps (and prevent knocking on other
ports too).
>
> Yubikey as 2FA is pretty nice too.
>
>  Original message 
> From: Bruce Dawson >
> Date: 6/11/17 10:58 AM (GMT-05:00)
> To: gnhlug-discuss@mail.gnhlug.org

> Subject: Re: What's the strategy for bad guys guessing a few ssh
passwords?
>
> sshguard takes care of most of them (especially the high
bandwidth ones).
>
> The black hats don't care - they're looking for vulnerable
systems. If
> they find one, they'll exploit it (or not).
>
> Note that a while ago (more than a few years), comcast used to probe
> systems to see if they're vulnerable. Either they don't do that any
> more, or contract it out because I haven't see probes from any
of their
> systems in years. This probably holds true for other ISPs, and
various
> intelligence agencies in the world - both private and public, not to
> mention various disreputable enterprises.
>
> --Bruce
>
>
> On 06/11/2017 10:17 AM, Ted Roche wrote:
>> For 36 hours now, one of my clients' servers has been logging ssh
>> login attempts from around the world, low volume, persistent,
but more
>> frequent than usual. sshd is listening on a non-standard port,
just to
>> minimize the garbage in the logs.
>>
>> A couple of attempts is normal; we've seen that for years. But
this is
>> several each  hour, and each hour an IP from a different country:
>> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
>> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
>>
>> There's several levels of defense in use: firewalls, intrusion
>> detection, log monitoring, etc, so each script gets a few
guesses and
>> the IP is then rejected.
>>
>> In theory, the defenses should be sufficient, but I have a concern
>> that I'm missing their strategy here. It's not a DDOS, they are
very
>> low volume. It will take them several millennia to guess enough
>> dictionary attack guesses to get through, so what's the point?
>>
>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org

> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

>
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org

> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

>



--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org 
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/





___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/


___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: What's the strategy for bad guys guessing a few ssh passwords?

[Tom Buskey]

I always wonder what they're trying to get.  https://krebsonsecurity.com has
lots of info on why they do it, what they do with it and how they make $$.

There's very few consequences to the attacker for "rattling the doorknob"
compared to potential success.


On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:

> Thanks, all for the recommendations. I hadn't seen sshguard before;
> I'll give that a try.
>
> I do have Fail2Ban in place, and have customized a number of scripts,
> mostly for Apache (trying to invoke asp scripts on my LAMP server
> results in instaban, for example) and it is what it reporting the ssh
> login failures.
>
> I have always seen them, in the 10 years I've had this server running,
> but the frequency, periodicity and international variety (usually
> they're all China, Russian, Romania) seemed like there might be
> something else going on.
>
> Be careful out there.
>
> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
> wrote:
> > sshguard is really good since it'll drop in a iptables rule to block an
> IP
> > address after a number of attemps (and prevent knocking on other ports
> too).
> >
> > Yubikey as 2FA is pretty nice too.
> >
> >  Original message 
> > From: Bruce Dawson 
> > Date: 6/11/17 10:58 AM (GMT-05:00)
> > To: gnhlug-discuss@mail.gnhlug.org
> > Subject: Re: What's the strategy for bad guys guessing a few ssh
> passwords?
> >
> > sshguard takes care of most of them (especially the high bandwidth ones).
> >
> > The black hats don't care - they're looking for vulnerable systems. If
> > they find one, they'll exploit it (or not).
> >
> > Note that a while ago (more than a few years), comcast used to probe
> > systems to see if they're vulnerable. Either they don't do that any
> > more, or contract it out because I haven't see probes from any of their
> > systems in years. This probably holds true for other ISPs, and various
> > intelligence agencies in the world - both private and public, not to
> > mention various disreputable enterprises.
> >
> > --Bruce
> >
> >
> > On 06/11/2017 10:17 AM, Ted Roche wrote:
> >> For 36 hours now, one of my clients' servers has been logging ssh
> >> login attempts from around the world, low volume, persistent, but more
> >> frequent than usual. sshd is listening on a non-standard port, just to
> >> minimize the garbage in the logs.
> >>
> >> A couple of attempts is normal; we've seen that for years. But this is
> >> several each  hour, and each hour an IP from a different country:
> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> >>
> >> There's several levels of defense in use: firewalls, intrusion
> >> detection, log monitoring, etc, so each script gets a few guesses and
> >> the IP is then rejected.
> >>
> >> In theory, the defenses should be sufficient, but I have a concern
> >> that I'm missing their strategy here. It's not a DDOS, they are very
> >> low volume. It will take them several millennia to guess enough
> >> dictionary attack guesses to get through, so what's the point?
> >>
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
>
>
>
> --
> Ted Roche
> Ted Roche & Associates, LLC
> http://www.tedroche.com
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: What's the strategy for bad guys guessing a few ssh passwords?

[Dan Garthwaite]

If you can change the port number it does wonders against the script
kiddies.

Just remember to add the new port, restart sshd, then remove the old port.
 :)

On Sun, Jun 11, 2017 at 1:53 PM, Ted Roche  wrote:

> Thanks, all for the recommendations. I hadn't seen sshguard before;
> I'll give that a try.
>
> I do have Fail2Ban in place, and have customized a number of scripts,
> mostly for Apache (trying to invoke asp scripts on my LAMP server
> results in instaban, for example) and it is what it reporting the ssh
> login failures.
>
> I have always seen them, in the 10 years I've had this server running,
> but the frequency, periodicity and international variety (usually
> they're all China, Russian, Romania) seemed like there might be
> something else going on.
>
> Be careful out there.
>
> On Sun, Jun 11, 2017 at 11:19 AM, Mark Komarinski 
> wrote:
> > sshguard is really good since it'll drop in a iptables rule to block an
> IP
> > address after a number of attemps (and prevent knocking on other ports
> too).
> >
> > Yubikey as 2FA is pretty nice too.
> >
> >  Original message 
> > From: Bruce Dawson 
> > Date: 6/11/17 10:58 AM (GMT-05:00)
> > To: gnhlug-discuss@mail.gnhlug.org
> > Subject: Re: What's the strategy for bad guys guessing a few ssh
> passwords?
> >
> > sshguard takes care of most of them (especially the high bandwidth ones).
> >
> > The black hats don't care - they're looking for vulnerable systems. If
> > they find one, they'll exploit it (or not).
> >
> > Note that a while ago (more than a few years), comcast used to probe
> > systems to see if they're vulnerable. Either they don't do that any
> > more, or contract it out because I haven't see probes from any of their
> > systems in years. This probably holds true for other ISPs, and various
> > intelligence agencies in the world - both private and public, not to
> > mention various disreputable enterprises.
> >
> > --Bruce
> >
> >
> > On 06/11/2017 10:17 AM, Ted Roche wrote:
> >> For 36 hours now, one of my clients' servers has been logging ssh
> >> login attempts from around the world, low volume, persistent, but more
> >> frequent than usual. sshd is listening on a non-standard port, just to
> >> minimize the garbage in the logs.
> >>
> >> A couple of attempts is normal; we've seen that for years. But this is
> >> several each  hour, and each hour an IP from a different country:
> >> Belgium, Korea, Switzerland, Bangladesh, France, China, Germany,
> >> Dallas, Greece. Usernames vary: root, mythtv, rheal, etc.
> >>
> >> There's several levels of defense in use: firewalls, intrusion
> >> detection, log monitoring, etc, so each script gets a few guesses and
> >> the IP is then rejected.
> >>
> >> In theory, the defenses should be sufficient, but I have a concern
> >> that I'm missing their strategy here. It's not a DDOS, they are very
> >> low volume. It will take them several millennia to guess enough
> >> dictionary attack guesses to get through, so what's the point?
> >>
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> > ___
> > gnhlug-discuss mailing list
> > gnhlug-discuss@mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
>
>
>
> --
> Ted Roche
> Ted Roche & Associates, LLC
> http://www.tedroche.com
> ___
> gnhlug-discuss mailing list
> gnhlug-discuss@mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/