"Philip D'Ath"
We are getting lots of requests at the moment trying to log into one of our box's via SSH. It happens in 20 minute bursts, with a new request being tried every 6s. After the 20 minutes it goes away for 8 hours.
Does it look anything like this? http://www.k-otik.com/exploits/08202004.brutessh2.c.php
It appears to be a straight dictionary attack, with the attempts cycling though usernames like root, user, test, john, henry, george, frank, alan, adam, server, backup, account, master, sybase, oracle, web, data, webmaster, noc, cip51, cip52, cosmin, pamela, jane, adm, irc, apache, operator, mysql, www-data, matt, www, wwwrun, cyrus, horde, iceuser, rolo, patrick, nobody.
It spends most of its time trying to login as root.
The requests are mostly coming from Russia, with a couple of other IP's from other countries.
The device they are attempting to log into is not advertised in anyway, so was probably picked up during a normal port scan.
For the moment I've limited connections to the box for SSH to only be accepted over IPSec, so that's the end of the login attempts.
Other things you can do are: * run SSH on an alternate port * restrict access only to trusted IPs * turn off password authentication and use key-based instead. The incidents mailing list[1] and http://isc.sans.org/ are good places to watch out for other people reporting this kind of thing. I think it's been going on for a couple of months now. cheers, Jamie [1] http://www.securityfocus.com/popups/forums/incidents/intro.shtml -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/