[conspire] Ongoing dictionary attacks on SSH daemons

Rick Moen rick at linuxmafia.com
Fri Oct 1 10:27:09 PDT 2004


Those of you running SSH daemons, be aware that there have been BIG 
sets of "dictionary attacks" on SSH servers all over the world, going 
on for the last couple of weeks.  Someone has a large number of machines
trying plausible user/password combinations on found SSH servers, 
seeing if there is any easily entrance.  (All it takes is one.)

You may wish to consider disabling password authentication and using
only SSH keypairs, as well as restricting which IPs are allowed to
connect for inbound SSH.

Also worth considering is sshd-sentry:
http://linuxmafia.com/pub/linux/security/ssh-dictionary-attack-blacklist

Script and explanatory e-mail by Victor Danilchenko to monitor the sshd
logs, detect repeated failed login attempts, notify the sysadmin of such
attempts via e-mail, and blacklist hosts whence such attempts
originated.  Perl script.  Licence terms for the script ("sshd-sentry")
are unstated.

(I'm writing to Danilchenko to ask if he'll open-source it.)


----- Forwarded message from logcheck at linuxmafia.com -----

To: root at linuxmafia.com
Subject: linuxmafia 2004-10-01 10:02 Security Events
From: logcheck at linuxmafia.com
Date: Fri, 01 Oct 2004 10:02:10 -0700

Security Events
=-=-=-=-=-=-=-=
Oct  1 09:17:36 linuxmafia sshd[13515]: Failed password for nobody from 195.27.7.130 port 45280 ssh2
Oct  1 09:17:38 linuxmafia sshd[13519]: Failed password for illegal user patrick from 195.27.7.130 port 45334 ssh2
Oct  1 09:17:39 linuxmafia sshd[13521]: Failed password for illegal user patrick from 195.27.7.130 port 45374 ssh2
Oct  1 09:17:41 linuxmafia sshd[13523]: Failed password for root from 195.27.7.130 port 45407 ssh2
Oct  1 09:17:44 linuxmafia sshd[13525]: Failed password for root from 195.27.7.130 port 45448 ssh2
Oct  1 09:17:47 linuxmafia sshd[13527]: Failed password for root from 195.27.7.130 port 45491 ssh2
Oct  1 09:17:49 linuxmafia sshd[13533]: Failed password for root from 195.27.7.130 port 45552 ssh2
Oct  1 09:17:51 linuxmafia sshd[13535]: Failed password for root from 195.27.7.130 port 45590 ssh2
Oct  1 09:17:52 linuxmafia sshd[13537]: Failed password for illegal user rolo from 195.27.7.130 port 45622 ssh2
Oct  1 09:17:54 linuxmafia sshd[13539]: Failed password for illegal user iceuser from 195.27.7.130 port 45659 ssh2
Oct  1 09:17:56 linuxmafia sshd[13541]: Failed password for illegal user horde from 195.27.7.130 port 45694 ssh2
Oct  1 09:17:58 linuxmafia sshd[13543]: Failed password for illegal user cyrus from 195.27.7.130 port 45732 ssh2
Oct  1 09:18:00 linuxmafia sshd[13545]: Failed password for illegal user www from 195.27.7.130 port 45764 ssh2
Oct  1 09:18:02 linuxmafia sshd[13547]: Failed password for illegal user wwwrun from 195.27.7.130 port 45802 ssh2
Oct  1 09:18:05 linuxmafia sshd[13551]: Failed password for illegal user matt from 195.27.7.130 port 45851 ssh2
Oct  1 09:18:07 linuxmafia sshd[13554]: Failed password for illegal user test from 195.27.7.130 port 45896 ssh2
Oct  1 09:18:08 linuxmafia sshd[13556]: Failed password for illegal user test from 195.27.7.130 port 45937 ssh2
Oct  1 09:18:11 linuxmafia sshd[13558]: Failed password for illegal user test from 195.27.7.130 port 45971 ssh2
Oct  1 09:18:13 linuxmafia sshd[13562]: Failed password for illegal user test from 195.27.7.130 port 46027 ssh2
Oct  1 09:18:15 linuxmafia sshd[13564]: Failed password for www-data from 195.27.7.130 port 46059 ssh2
Oct  1 09:18:17 linuxmafia sshd[13566]: Failed password for mysql from 195.27.7.130 port 46097 ssh2
Oct  1 09:18:19 linuxmafia sshd[13568]: Failed password for operator from 195.27.7.130 port 46133 ssh2
Oct  1 09:18:22 linuxmafia sshd[13570]: Failed password for illegal user adm from 195.27.7.130 port 46164 ssh2
Oct  1 09:18:24 linuxmafia sshd[13572]: Failed password for illegal user apache from 195.27.7.130 port 46223 ssh2
Oct  1 09:18:26 linuxmafia sshd[13574]: Failed password for irc from 195.27.7.130 port 46265 ssh2
Oct  1 09:18:29 linuxmafia sshd[13576]: Failed password for irc from 195.27.7.130 port 46298 ssh2
Oct  1 09:18:31 linuxmafia sshd[13578]: Failed password for illegal user adm from 195.27.7.130 port 46351 ssh2
Oct  1 09:18:33 linuxmafia sshd[13580]: Failed password for root from 195.27.7.130 port 46384 ssh2
Oct  1 09:18:35 linuxmafia sshd[13582]: Failed password for root from 195.27.7.130 port 46418 ssh2
Oct  1 09:18:37 linuxmafia sshd[13584]: Failed password for root from 195.27.7.130 port 46473 ssh2
Oct  1 09:18:39 linuxmafia sshd[13586]: Failed password for illegal user jane from 195.27.7.130 port 46506 ssh2
Oct  1 09:18:41 linuxmafia sshd[13588]: Failed password for illegal user pamela from 195.27.7.130 port 46537 ssh2
Oct  1 09:18:44 linuxmafia sshd[13592]: Failed password for root from 195.27.7.130 port 46578 ssh2
Oct  1 09:18:46 linuxmafia sshd[13594]: Failed password for root from 195.27.7.130 port 46625 ssh2
Oct  1 09:18:48 linuxmafia sshd[13596]: Failed password for root from 195.27.7.130 port 46665 ssh2
Oct  1 09:18:50 linuxmafia sshd[13598]: Failed password for root from 195.27.7.130 port 46696 ssh2
Oct  1 09:18:52 linuxmafia sshd[13600]: Failed password for root from 195.27.7.130 port 46729 ssh2
Oct  1 09:18:54 linuxmafia sshd[13602]: Failed password for illegal user cosmin from 195.27.7.130 port 46763 ssh2
Oct  1 09:18:56 linuxmafia sshd[13605]: Failed password for root from 195.27.7.130 port 46807 ssh2
Oct  1 09:18:58 linuxmafia sshd[13607]: Failed password for root from 195.27.7.130 port 46842 ssh2
Oct  1 09:19:00 linuxmafia sshd[13611]: Failed password for root from 195.27.7.130 port 46877 ssh2
Oct  1 09:19:01 linuxmafia sshd[13613]: Failed password for root from 195.27.7.130 port 46912 ssh2
Oct  1 09:19:03 linuxmafia sshd[13615]: Failed password for root from 195.27.7.130 port 46952 ssh2
Oct  1 09:19:05 linuxmafia sshd[13617]: Failed password for root from 195.27.7.130 port 46989 ssh2
Oct  1 09:19:07 linuxmafia sshd[13619]: Failed password for root from 195.27.7.130 port 47026 ssh2
Oct  1 09:19:09 linuxmafia sshd[13621]: Failed password for root from 195.27.7.130 port 47059 ssh2
Oct  1 09:19:11 linuxmafia sshd[13627]: Failed password for root from 195.27.7.130 port 47098 ssh2
Oct  1 09:19:13 linuxmafia sshd[13629]: Failed password for root from 195.27.7.130 port 47135 ssh2
Oct  1 09:19:15 linuxmafia sshd[13631]: Failed password for root from 195.27.7.130 port 47170 ssh2
Oct  1 09:19:16 linuxmafia sshd[13633]: Failed password for root from 195.27.7.130 port 47207 ssh2
Oct  1 09:19:18 linuxmafia sshd[13635]: Failed password for root from 195.27.7.130 port 47242 ssh2
Oct  1 09:19:20 linuxmafia sshd[13637]: Failed password for root from 195.27.7.130 port 47279 ssh2
Oct  1 09:19:22 linuxmafia sshd[13643]: Failed password for root from 195.27.7.130 port 47315 ssh2
Oct  1 09:19:25 linuxmafia sshd[13645]: Failed password for root from 195.27.7.130 port 47353 ssh2
Oct  1 09:19:27 linuxmafia sshd[13648]: Failed password for root from 195.27.7.130 port 47417 ssh2
Oct  1 09:19:29 linuxmafia sshd[13650]: Failed password for root from 195.27.7.130 port 47455 ssh2
Oct  1 09:19:31 linuxmafia sshd[13652]: Failed password for root from 195.27.7.130 port 47492 ssh2
Oct  1 09:19:33 linuxmafia sshd[13654]: Failed password for root from 195.27.7.130 port 47532 ssh2
Oct  1 09:19:35 linuxmafia sshd[13657]: Failed password for root from 195.27.7.130 port 47567 ssh2
Oct  1 09:19:37 linuxmafia sshd[13659]: Failed password for root from 195.27.7.130 port 47602 ssh2
Oct  1 09:19:39 linuxmafia sshd[13662]: Failed password for root from 195.27.7.130 port 47641 ssh2
Oct  1 09:19:41 linuxmafia sshd[13664]: Failed password for root from 195.27.7.130 port 47675 ssh2
Oct  1 09:19:42 linuxmafia sshd[13666]: Failed password for root from 195.27.7.130 port 47709 ssh2
Oct  1 09:19:44 linuxmafia sshd[13668]: Failed password for root from 195.27.7.130 port 47748 ssh2
Oct  1 09:19:46 linuxmafia sshd[13670]: Failed password for root from 195.27.7.130 port 47786 ssh2
Oct  1 09:19:48 linuxmafia sshd[13672]: Failed password for root from 195.27.7.130 port 47824 ssh2
Oct  1 09:19:50 linuxmafia sshd[13674]: Failed password for root from 195.27.7.130 port 47856 ssh2
Oct  1 09:19:52 linuxmafia sshd[13676]: Failed password for root from 195.27.7.130 port 47892 ssh2
Oct  1 09:19:54 linuxmafia sshd[13678]: Failed password for root from 195.27.7.130 port 47929 ssh2
Oct  1 09:19:56 linuxmafia sshd[13680]: Failed password for root from 195.27.7.130 port 47963 ssh2
Oct  1 09:19:57 linuxmafia sshd[13682]: Failed password for root from 195.27.7.130 port 48000 ssh2
Oct  1 09:19:59 linuxmafia sshd[13684]: Failed password for root from 195.27.7.130 port 48030 ssh2
Oct  1 09:20:01 linuxmafia sshd[13686]: Failed password for root from 195.27.7.130 port 48063 ssh2
Oct  1 09:20:04 linuxmafia sshd[13695]: Failed password for root from 195.27.7.130 port 48103 ssh2
Oct  1 09:20:06 linuxmafia sshd[13697]: Failed password for illegal user cip52 from 195.27.7.130 port 48140 ssh2
Oct  1 09:20:07 linuxmafia sshd[13699]: Failed password for illegal user cip51 from 195.27.7.130 port 48177 ssh2
Oct  1 09:20:10 linuxmafia sshd[13701]: Failed password for root from 195.27.7.130 port 48209 ssh2
Oct  1 09:20:12 linuxmafia sshd[13705]: Failed password for illegal user noc from 195.27.7.130 port 48261 ssh2
Oct  1 09:20:14 linuxmafia sshd[13709]: Failed password for root from 195.27.7.130 port 48297 ssh2
Oct  1 09:20:16 linuxmafia sshd[13713]: Failed password for root from 195.27.7.130 port 48329 ssh2
Oct  1 09:20:18 linuxmafia sshd[13718]: Failed password for root from 195.27.7.130 port 48364 ssh2
Oct  1 09:20:20 linuxmafia sshd[13720]: Failed password for root from 195.27.7.130 port 48394 ssh2
Oct  1 09:20:22 linuxmafia sshd[13722]: Failed password for illegal user webmaster from 195.27.7.130 port 48434 ssh2
Oct  1 09:20:23 linuxmafia sshd[13724]: Failed password for illegal user data from 195.27.7.130 port 48462 ssh2
Oct  1 09:20:25 linuxmafia sshd[13726]: Failed password for illegal user user from 195.27.7.130 port 48494 ssh2
Oct  1 09:20:27 linuxmafia sshd[13728]: Failed password for illegal user user from 195.27.7.130 port 48527 ssh2
Oct  1 09:20:29 linuxmafia sshd[13730]: Failed password for illegal user user from 195.27.7.130 port 48559 ssh2
Oct  1 09:20:31 linuxmafia sshd[13734]: Failed password for illegal user web from 195.27.7.130 port 48595 ssh2
Oct  1 09:20:33 linuxmafia sshd[13736]: Failed password for illegal user web from 195.27.7.130 port 48626 ssh2
Oct  1 09:20:35 linuxmafia sshd[13738]: Failed password for illegal user oracle from 195.27.7.130 port 48656 ssh2
Oct  1 09:20:39 linuxmafia sshd[13742]: Failed password for illegal user sybase from 195.27.7.130 port 48697 ssh2
Oct  1 09:20:41 linuxmafia sshd[13744]: Failed password for illegal user master from 195.27.7.130 port 48757 ssh2
Oct  1 09:20:42 linuxmafia sshd[13748]: Failed password for illegal user account from 195.27.7.130 port 48793 ssh2
Oct  1 09:20:44 linuxmafia sshd[13750]: Failed password for backup from 195.27.7.130 port 48823 ssh2
Oct  1 09:20:46 linuxmafia sshd[13752]: Failed password for illegal user server from 195.27.7.130 port 48861 ssh2
Oct  1 09:20:48 linuxmafia sshd[13754]: Failed password for illegal user adam from 195.27.7.130 port 48886 ssh2
Oct  1 09:20:51 linuxmafia sshd[13756]: Failed password for illegal user alan from 195.27.7.130 port 48923 ssh2
Oct  1 09:20:56 linuxmafia sshd[13758]: Failed password for illegal user frank from 195.27.7.130 port 48981 ssh2
Oct  1 09:20:58 linuxmafia sshd[13760]: Failed password for illegal user george from 195.27.7.130 port 49061 ssh2
Oct  1 09:21:00 linuxmafia sshd[13762]: Failed password for illegal user henry from 195.27.7.130 port 49093 ssh2
Oct  1 09:21:02 linuxmafia sshd[13766]: Failed password for illegal user john from 195.27.7.130 port 49132 ssh2
Oct  1 09:21:07 linuxmafia sshd[13768]: Failed password for root from 195.27.7.130 port 49163 ssh2
Oct  1 09:21:09 linuxmafia sshd[13770]: Failed password for root from 195.27.7.130 port 49249 ssh2
Oct  1 09:21:11 linuxmafia sshd[13772]: Failed password for root from 195.27.7.130 port 49282 ssh2
Oct  1 09:21:13 linuxmafia sshd[13774]: Failed password for root from 195.27.7.130 port 49321 ssh2
Oct  1 09:21:15 linuxmafia sshd[13776]: Failed password for root from 195.27.7.130 port 49362 ssh2
Oct  1 09:21:20 linuxmafia sshd[13779]: Failed password for illegal user test from 195.27.7.130 port 49399 ssh2

System Events
=-=-=-=-=-=-=
Oct  1 09:10:53 linuxmafia sshd[13456]: Did not receive identification string from 195.27.7.130
Oct  1 09:17:37 linuxmafia sshd[13519]: Illegal user patrick from 195.27.7.130
Oct  1 09:17:38 linuxmafia sshd[13519]: error: Could not get shadow information for NOUSER
Oct  1 09:17:39 linuxmafia sshd[13521]: Illegal user patrick from 195.27.7.130
Oct  1 09:17:39 linuxmafia sshd[13521]: error: Could not get shadow information for NOUSER
Oct  1 09:17:52 linuxmafia sshd[13537]: Illegal user rolo from 195.27.7.130
Oct  1 09:17:52 linuxmafia sshd[13537]: error: Could not get shadow information for NOUSER
Oct  1 09:17:54 linuxmafia sshd[13539]: Illegal user iceuser from 195.27.7.130
Oct  1 09:17:54 linuxmafia sshd[13539]: error: Could not get shadow information for NOUSER
Oct  1 09:17:56 linuxmafia sshd[13541]: Illegal user horde from 195.27.7.130
Oct  1 09:17:56 linuxmafia sshd[13541]: error: Could not get shadow information for NOUSER
Oct  1 09:17:58 linuxmafia sshd[13543]: Illegal user cyrus from 195.27.7.130
Oct  1 09:17:58 linuxmafia sshd[13543]: error: Could not get shadow information for NOUSER
Oct  1 09:18:00 linuxmafia sshd[13545]: Illegal user www from 195.27.7.130
Oct  1 09:18:00 linuxmafia sshd[13545]: error: Could not get shadow information for NOUSER
Oct  1 09:18:02 linuxmafia sshd[13547]: Illegal user wwwrun from 195.27.7.130
Oct  1 09:18:02 linuxmafia sshd[13547]: error: Could not get shadow information for NOUSER
Oct  1 09:18:05 linuxmafia sshd[13551]: Illegal user matt from 195.27.7.130
Oct  1 09:18:05 linuxmafia sshd[13551]: error: Could not get shadow information for NOUSER
Oct  1 09:18:06 linuxmafia sshd[13554]: Illegal user test from 195.27.7.130
Oct  1 09:18:07 linuxmafia sshd[13554]: error: Could not get shadow information for NOUSER
Oct  1 09:18:08 linuxmafia sshd[13556]: Illegal user test from 195.27.7.130
Oct  1 09:18:08 linuxmafia sshd[13556]: error: Could not get shadow information for NOUSER
Oct  1 09:18:10 linuxmafia sshd[13558]: Illegal user test from 195.27.7.130
Oct  1 09:18:11 linuxmafia sshd[13558]: error: Could not get shadow information for NOUSER
Oct  1 09:18:13 linuxmafia sshd[13562]: Illegal user test from 195.27.7.130
Oct  1 09:18:13 linuxmafia sshd[13562]: error: Could not get shadow information for NOUSER
Oct  1 09:18:22 linuxmafia sshd[13570]: Illegal user adm from 195.27.7.130
Oct  1 09:18:22 linuxmafia sshd[13570]: error: Could not get shadow information for NOUSER
Oct  1 09:18:24 linuxmafia sshd[13572]: Illegal user apache from 195.27.7.130
Oct  1 09:18:24 linuxmafia sshd[13572]: error: Could not get shadow information for NOUSER
Oct  1 09:18:31 linuxmafia sshd[13578]: Illegal user adm from 195.27.7.130
Oct  1 09:18:31 linuxmafia sshd[13578]: error: Could not get shadow information for NOUSER
Oct  1 09:18:39 linuxmafia sshd[13586]: Illegal user jane from 195.27.7.130
Oct  1 09:18:39 linuxmafia sshd[13586]: error: Could not get shadow information for NOUSER
Oct  1 09:18:41 linuxmafia sshd[13588]: Illegal user pamela from 195.27.7.130
Oct  1 09:18:41 linuxmafia sshd[13588]: error: Could not get shadow information for NOUSER
Oct  1 09:18:54 linuxmafia sshd[13602]: Illegal user cosmin from 195.27.7.130
Oct  1 09:18:54 linuxmafia sshd[13602]: error: Could not get shadow information for NOUSER
Oct  1 09:20:05 linuxmafia sshd[13697]: Illegal user cip52 from 195.27.7.130
Oct  1 09:20:06 linuxmafia sshd[13697]: error: Could not get shadow information for NOUSER
Oct  1 09:20:07 linuxmafia sshd[13699]: Illegal user cip51 from 195.27.7.130
Oct  1 09:20:07 linuxmafia sshd[13699]: error: Could not get shadow information for NOUSER
Oct  1 09:20:12 linuxmafia sshd[13705]: Illegal user noc from 195.27.7.130
Oct  1 09:20:12 linuxmafia sshd[13705]: error: Could not get shadow information for NOUSER
Oct  1 09:20:21 linuxmafia sshd[13722]: Illegal user webmaster from 195.27.7.130
Oct  1 09:20:22 linuxmafia sshd[13722]: error: Could not get shadow information for NOUSER
Oct  1 09:20:23 linuxmafia sshd[13724]: Illegal user data from 195.27.7.130
Oct  1 09:20:23 linuxmafia sshd[13724]: error: Could not get shadow information for NOUSER
Oct  1 09:20:25 linuxmafia sshd[13726]: Illegal user user from 195.27.7.130
Oct  1 09:20:25 linuxmafia sshd[13726]: error: Could not get shadow information for NOUSER
Oct  1 09:20:27 linuxmafia sshd[13728]: Illegal user user from 195.27.7.130
Oct  1 09:20:27 linuxmafia sshd[13728]: error: Could not get shadow information for NOUSER
Oct  1 09:20:29 linuxmafia sshd[13730]: Illegal user user from 195.27.7.130
Oct  1 09:20:29 linuxmafia sshd[13730]: error: Could not get shadow information for NOUSER
Oct  1 09:20:31 linuxmafia sshd[13734]: Illegal user web from 195.27.7.130
Oct  1 09:20:31 linuxmafia sshd[13734]: error: Could not get shadow information for NOUSER
Oct  1 09:20:33 linuxmafia sshd[13736]: Illegal user web from 195.27.7.130
Oct  1 09:20:33 linuxmafia sshd[13736]: error: Could not get shadow information for NOUSER
Oct  1 09:20:34 linuxmafia sshd[13738]: Illegal user oracle from 195.27.7.130
Oct  1 09:20:35 linuxmafia sshd[13738]: error: Could not get shadow information for NOUSER
Oct  1 09:20:39 linuxmafia sshd[13742]: Illegal user sybase from 195.27.7.130
Oct  1 09:20:39 linuxmafia sshd[13742]: error: Could not get shadow information for NOUSER
Oct  1 09:20:40 linuxmafia sshd[13744]: Illegal user master from 195.27.7.130
Oct  1 09:20:41 linuxmafia sshd[13744]: error: Could not get shadow information for NOUSER
Oct  1 09:20:42 linuxmafia sshd[13748]: Illegal user account from 195.27.7.130
Oct  1 09:20:42 linuxmafia sshd[13748]: error: Could not get shadow information for NOUSER
Oct  1 09:20:46 linuxmafia sshd[13752]: Illegal user server from 195.27.7.130
Oct  1 09:20:46 linuxmafia sshd[13752]: error: Could not get shadow information for NOUSER
Oct  1 09:20:48 linuxmafia sshd[13754]: Illegal user adam from 195.27.7.130
Oct  1 09:20:48 linuxmafia sshd[13754]: error: Could not get shadow information for NOUSER
Oct  1 09:20:51 linuxmafia sshd[13756]: Illegal user alan from 195.27.7.130
Oct  1 09:20:51 linuxmafia sshd[13756]: error: Could not get shadow information for NOUSER
Oct  1 09:20:56 linuxmafia sshd[13758]: Illegal user frank from 195.27.7.130
Oct  1 09:20:56 linuxmafia sshd[13758]: error: Could not get shadow information for NOUSER
Oct  1 09:20:58 linuxmafia sshd[13760]: Illegal user george from 195.27.7.130
Oct  1 09:20:58 linuxmafia sshd[13760]: error: Could not get shadow information for NOUSER
Oct  1 09:21:00 linuxmafia sshd[13762]: Illegal user henry from 195.27.7.130
Oct  1 09:21:00 linuxmafia sshd[13762]: error: Could not get shadow information for NOUSER
Oct  1 09:21:02 linuxmafia sshd[13766]: Illegal user john from 195.27.7.130
Oct  1 09:21:02 linuxmafia sshd[13766]: error: Could not get shadow information for NOUSER
Oct  1 09:21:19 linuxmafia sshd[13779]: Illegal user test from 195.27.7.130
Oct  1 09:21:20 linuxmafia sshd[13779]: error: Could not get shadow information for NOUSER
Oct  1 09:49:59 linuxmafia sshd[14198]: Bad protocol version identification 'CONNECT 82.96.96.3:802 HTTP/1.0' from 82.96.96.3
Oct  1 09:49:59 linuxmafia sshd[14199]: Bad protocol version identification 'cisco' from 82.96.96.3
Oct  1 09:49:59 linuxmafia sshd[14200]: Bad protocol version identification '82.96.96.3:802' from 82.96.96.3


----- End forwarded message -----




More information about the conspire mailing list