Yeah, these have been going around for a long time. I've got logwatch
entries from ages ago with this type of stuff in it.
As long as you have decent passwords on accounts, and make sure that you
don't enable and default-disabled accounts on your system, you should
be fine. The most connects I've had from a single host is usually in
the 1200 to 2500 range; by and large not an exhaustive list of usernames
and passwords.
I personally have to allow passwords; as well as root access to machines
I have exposed (and ones I don't - if you have a box with a full
filesystem, you might not be able to log in if you aren't root, and I'd
*never ever* set up keyed auth for root, ever). If you work remotely,
or have to 'borrow' someone's laptop to get into your machines because
of an alarm, if you don't happen to have that key handy, you're pooched
(and sometimes, the extra hassle of a thumbdrive is too much - plus,
it's just one more thing to haev to bring wth me whereever I go, in
addition to a phone).
I make sure I have decent passwords, and rest easily knowing that I'm
fairly script-kiddie proof. I have keys for machines I log into
repeatedly to save time, and keystrokes (like login servers) but
typically avoid using keys as well, since it takes one broken account to
ruin a whole server ( and if you have keys installed, it's simply a
matter of using that account, and hopping where they want).
Adam
Damien Hull wrote:
>Someone is doing a lot of dictionary attacks over ssh. Found this in my
>logs.
>
>Nov 18 19:11:36 tower1 sshd[15507]: Failed password for illegal user
>home from 217.222.89.228 port 52073 ssh2
>Nov 18 19:11:39 tower1 sshd[15510]: Failed password for ftp from
>217.222.89.228 port 52257 ssh2
>Nov 18 19:11:39 tower1 sshd[15509]: Failed password for ftp from
>217.222.89.228 port 52257 ssh2
>Nov 18 19:11:41 tower1 sshd[15512]: Failed password for root from
>217.222.89.228 port 52449 ssh2
>Nov 18 19:11:41 tower1 sshd[15511]: Failed password for root from
>217.222.89.228 port 52449 ssh2
>Nov 18 19:11:44 tower1 sshd[15514]: Failed password for root from
>217.222.89.228 port 52653 ssh2
>Nov 18 19:11:44 tower1 sshd[15513]: Failed password for root from
>217.222.89.228 port 52653 ssh2
>Nov 18 19:11:47 tower1 sshd[15515]: Illegal user router from
>217.222.89.228
>Nov 18 19:11:47 tower1 sshd[15516]: input_userauth_request: illegal user
>router
>Nov 18 19:11:47 tower1 sshd[15515]: Failed password for illegal user
>router from 217.222.89.228 port 52851 ssh2
>Nov 18 19:11:50 tower1 sshd[15518]: Failed password for games from
>217.222.89.228 port 53068 ssh2
>Nov 18 19:11:50 tower1 sshd[15517]: Failed password for games from
>217.222.89.228 port 53068 ssh2
>
>Did some research and posted that on my website.
>www.digitaloverload.net
>
>This is the reason I switched to public key authentication.
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Nov 19 13:07:03 2004
This archive was generated by hypermail 2.1.8 : Fri Nov 19 2004 - 13:07:03 AKST