Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Modify Remote Login server to block scripted attacks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Modify Remote Login server to block scripted attacks
Authored by: geohar on Feb 11, '05 04:04:48PM

Damn! Me too!

I'd be really interested to see how many folks out there have been scanned / had breakin attempted. Any chance you could run a poll rob?

You can determine this with

zgrep sshd /var/log/system.log.[0-9].gz | grep "Illegal user" | less

reguardless of which shell.



[ Reply to This | # ]
Modify Remote Login server to block scripted attacks
Authored by: daveschroeder on Feb 11, '05 04:31:41PM

No need to run a poll:

I can tell you right now, pretty much ANY host that has port 22 (SSH) open on a public network for any amount of time has been hit with one of these scripts, period.[1]

There is no need for a "poll". This is *OLD* news; these scripts have been going around forever, and all of our UNIX machines get attempts them several times a day. I'm surprised to see the reaction here, but really, this is *super old* and nothing to worry or poll about. No Mac OS X user with decent password(s) on their account(s) needs to worry about these attacks.

[1] Of course, IP ranges have to be programmed into these scripts; common things to hit will be IP ranges of universities and other academic institutions, home broadband networks, and other public networks. Some people on obscure networks might never be scanned. But, as a rule, almost any host on any public, especially university, network will have been.



[ Reply to This | # ]
One more note:
Authored by: daveschroeder on Feb 11, '05 04:36:49PM

If we want to be paranoid about things, why not also go through your apache logs? I guarantee you will see dozens, if not hundreds, of attempts to "exploit" various vulnerabilities (usually in IIS). Should we go out of our way to "block" those hosts? If you have that kind of time on your hands, knock yourself out. But if you're running a secure configuration - as a fully patched Mac OS X installation in its default configuration is - and have strong passwords (and, for home users, operate behind a hardware NAT/firewall appliance such as a Linksys router or AirPort Base Station), there is no need to jump through all sorts hoops to "protect" yourself from these myriad scripts.

Note: if someone WANTS to go through the motions of allowing only themselves, firewalling everyone except hosts they themselves connect from, etc., that's perfectly fine. But there is no need to panic about this, or think this is something new when it's extremely old (in internet terms, at least), and is, as I said, nothing to worry about if you have strong passwords. These scripts are doing nothing more than trying common username/password pairs, like mary/mary, test/test, admin/admin, tom/tom, etc., and whatever else people have programmed them to do. They're nothing special.



[ Reply to This | # ]
Modify Remote Login server to block scripted attacks
Authored by: Schamschula on Feb 11, '05 05:02:36PM
I use logcheck to automatically scan my logs for 'unusual' activity and send me an e-mail if something has happened.

Answering your question, this sort of thing happens on a regular basis. The number of accounts that a given script attempts to compromise varies greatly greatly.

I currently see one of these attacks on my server per day on average.

[ Reply to This | # ]