I've recently discovered a curious pattern emerging in my system log with failed login attempts via ssh.
Previously, I noticed dictionary attacks launched - which were easy to detect... and I've a process to block the IP address of any host that repeatedly fails to authenticate. What I see now is quite different... I'm seeing a dictionary attack originating from a wide range of IP addresses - testing user-names in sequence... it has been in progress since 22nd November 2008 and has tried 7195 user names in alphabetical order from 521 distinct hosts - with no successive two attempts from the same host. I'm not particularly concerned - since I'm confident that all my users have strong passwords... but it strikes me that this data identifies a bot-net that is clearly malicious attempting to break passwords. Sure, I could use IPtables to block all these bad ports... or... I could disable password authentication entirely... but I keep thinking that there has to be something better I can do... any suggestions? Is there a simple way to integrate a block-list of known-compromised hosts into IPtables - rather like my postfix is configured to drop connections from known spam sources from the sbl-xbl.spamhaus.org DNS block list, for example. Break in attempts today (attempted username/IP address): -- huck 190.60.41.82 huckleberry 81.196.122.2 huckleberry 58.39.145.213 huckleberry 60.230.184.143 hue 58.196.4.2 hue 83.228.92.228 huela 193.41.235.225 huela 193.41.235.225 huey 201.21.216.198 huey 81.149.101.27 hugh 200.123.174.145 hugh 83.228.92.228 hugh 212.46.24.146 hugo 195.234.169.138 hugo 193.86.111.6 hugo 201.224.199.201 hume 69.217.30.214 hume 80.118.132.88 hummer 71.166.159.177 hummer 200.126.119.91 hummer 61.4.210.33 humphrey 80.34.55.88 humphrey 213.163.19.158 humvee 85.222.53.48 humvee 80.24.4.23 hung 61.47.31.130 hung 70.46.140.187 hunter 67.40.86.204 hunter 83.228.92.228 hunter 200.60.156.90 huong 207.250.220.196 huong 125.63.77.3 huong 200.62.142.212 huslu 219.93.187.38 huslu 121.223.228.249 huslu 200.29.135.50 hussein 200.60.156.90 hussein 200.6.220.46 hussein 125.63.77.3 huy 60.191.111.234 huy 200.79.25.39 huyen 213.136.105.130 huyen 190.144.61.58 huyen 121.33.199.37 hy 121.33.199.37 hy 90.190.96.46 hyacinth 81.196.122.2 hyacinth 189.43.21.244 hyacinth 99.242.205.242 hyman 201.21.216.198 hypatia 218.28.143.246 hypatia 195.234.169.138 iain 200.118.119.48 iain 124.42.124.87 iain 194.224.118.61 ian 189.56.92.42 ian 201.28.119.60 ian 210.187.18.199 ianna 211.154.254.120 ianna 84.242.66.10 ianna 193.41.235.225 ianthe 81.246.26.179 ibtesam 87.30.163.87 ichabod 201.251.61.108 ida 62.61.141.93 ida 80.24.4.23 idalee 85.222.53.48 idalee 190.144.61.58 --
