Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Site Notices
9/22/2017 12:11:25 AM
Posted: 8/15/2005 11:49:33 PM EDT
They're really getting out of hand. Is everyone else seeing these constant scans?
Link Posted: 8/16/2005 8:05:24 AM EDT
Attacking where?

A real Brute Force takes a lot of resources (otherwise it ends up taking a very long time).
Link Posted: 8/16/2005 9:23:55 AM EDT
[Last Edit: 8/16/2005 9:24:08 AM EDT by cruze5]
haven't checked lately.... I have the host.allow file only accepting ips from my work computer and thats it.. hosts.deny is dening all ip address's..
Link Posted: 8/16/2005 9:24:46 AM EDT

has some good info on securing linux server
Link Posted: 8/16/2005 10:58:33 AM EDT
The attack tries a few thousand login/passwords, looking for weak accounts:

Aug 15 09:49:06 localhost sshd[11162]: Failed password for invalid user unicorn123 from ::ffff: port 55650 ssh2
Aug 15 09:49:07 localhost sshd[11164]: Invalid user a from ::ffff:
Aug 15 09:49:10 localhost sshd[11164]: Failed password for invalid user a from ::ffff: port 56027 ssh2
Aug 15 09:49:11 localhost sshd[11166]: Invalid user unix from ::ffff:
Aug 15 09:49:13 localhost sshd[11166]: Failed password for invalid user unix from ::ffff: port 56408 ssh2
Aug 15 09:49:14 localhost sshd[11168]: Invalid user unix123 from ::ffff:
Aug 15 09:49:17 localhost sshd[11168]: Failed password for invalid user unix123 from ::ffff: port 56791 ssh2
Aug 15 09:49:18 localhost sshd[11170]: Invalid user a from ::ffff:
Aug 15 09:49:20 localhost sshd[11170]: Failed password for invalid user a from ::ffff: port 57152 ssh2

Yadda yadda yadda. I've been seeing 5-10 attacks from new IPs per day, every one running through a list of accounts. This IP tried over 3,000 logins. 2-3 seconds apart. It seems to pick up new weak accounts from /etc/passwd on the machines it exploits, adding them to the list of new accounts to try. Most of the attacks seem to come from overseas.

You're fine as long as your passwords are strong, but it could pretty easily escalate to a denial of service if this keeps spreading.
Top Top