Automated SSH attacks

Fri Jul 31 05:15:02 PDT 2009

On Fri, Jul 31, 2009 at 03:21, Federico Voges<ftc at ftc.com.ar> wrote:
> david.bandel at gmail.com wrote:
>>
>> Folks,
>>
>> Well, I think I hit another milestone yesterday.  I had one firewall at a
>> client site that logged 66,352 login attempts (bad user or password) during
>> the 24 hours from 29-30 July.  That's nearly one attack per second all day
>> and all night long.  It's filling my syslog sql database log.  Gonna have to
>> purge some of the older syslog entries and vacuum the database.
>>
>> I remember when 6 attacks a night was a lot.
>>
>> Ciao,
>>
>> David A. Bandel
>>
>
> I've "fixed" the problem by changing the ssh port. It won't stop anyone
> trying to get into my server if they really want to, but it keeps my logs
> clean.
>
>
> If you go that route, I'd recommend that you create/edit your ~/.ssh/config
> so you don't have to specify the port on the command line:
>
> Host somehost.com
>  Port XXXX
>

On most of my systems, they're public key access only -- port doesn't
matter.  No key, the connection drops.  But this particular box is an
embedded system running dropbear.  Some changes are either painful
(require recompile) or just not possible to make (additional software
-- not enough space).  But the password is a good one, and even if
they got access, the only thing they could do is reconfigure it.  All
but some basic configs are on a squash file system.   And ram is tight
as well.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto
Visit my blog at: http://www.pananix.com/cgi-bin/blosxom