[Tfug] Stopping repeated login attempts
Choprboy
choprboy at dakotacom.net
Wed Jan 27 13:34:41 MST 2010
On Wednesday 27 January 2010 12:13, Bexley Hall wrote:
> Hi Louis,
>
> > No, they are not valid accounts. The
> > attempts appear to just be just guesses on account names.
>
> OK. I was just wondering if they would have given you a clue
> as to how/why/when they targeted your machine (e.g., if
> they harvested the names off a web page that you host, etc.)
>
> --don
It is nothing specifically targeting a particular machine. The scanning is
being done by the "brutessh" script or a similar rehash. The script reads
from a list of common and/or username/password combinations, somewhere
between a few hundred and a 10,000, and sequentially tries each one. If the
script finds an open account it copies itself onto the compromised machine
and starts another scan, the intent is to create a botnet of *nix machines.
The normal SSH daemon repeat failed login blocking does not work as the script
does a new TCP connection for every login attempt, then resets the
connection. The fail2ban and similar scripts track log entries looking for
repeated connections and then manual ban them at the firewall.
Adrian
More information about the tfug
mailing list