[Triumf-linux-managers] SSH worm, maybe ?
Andrew Daviel
advax at triumf.ca
Thu Jan 21 18:41:11 PST 2010
I noticed a huge uptick in SSH bruteforcing attempts on the weekend
(100x, see graph), and somewhat again today.
I also see thousands of attempts at home (Shaw).
Most of the machines attacking seem to be running ssh server themselves,
and a couple were obvious SUSE Linux machines (webserver HTTP headers).
I'm wondering if there is some worm going around, or at least a semi-automated
process.
http://trweb.triumf.ca/triumf_nodeinfo/blocks/block-ssh.2.html List
http://trweb.triumf.ca/triumf_nodeinfo/blocks/block-ssh-log.png Graph
http://isc.sans.org/port.html?port=22 - SANS global reports
I have some old logs from last year showing mostly attempts on root. Right now
the blocking script is working properly so I haven't logged any passwords
http://andrew.triumf.ca/ssh_pass_file2.html
Personally I recommend setting in (/etc/ssh/sshd_config)
PermitRootLogin without-password
and maybe even (if you can live with keyed access only)
PasswordAuthentication no
as an extra safeguard in case the blocker fails.
Of course, setting a genuinely strong passwourd *should* work, unless you just
happen to have one that's in the list, that they got from keylogging somewhere.
http://isc.sans.org/diary.html?storyid=7855#comment
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list