PROTECTED]
Cc: Noah Meyerhans
Subject: Re: [sec] Re: failed root login attempts
* Quoting Phillip Hofmeister ([EMAIL PROTECTED]):
> On Tue, 28 Sep 2004 at 09:18:51PM -0400, Noah Meyerhans wrote:
> > That doesn't seem to be the case. The most common one uses
> > root/test/
* Quoting Phillip Hofmeister ([EMAIL PROTECTED]):
> On Tue, 28 Sep 2004 at 09:18:51PM -0400, Noah Meyerhans wrote:
> > That doesn't seem to be the case. The most common one uses
> > root/test/guest, but there are more that seem to be based on the same
> > code. They all disconnect by sending the
On Tue, 28 Sep 2004 at 09:18:51PM -0400, Noah Meyerhans wrote:
> That doesn't seem to be the case. The most common one uses
> root/test/guest, but there are more that seem to be based on the same
> code. They all disconnect by sending the string "Bye Bye", e.g.:
> sshd[13613]: Received disconnect
On Tue, Sep 28, 2004 at 08:23:49PM -0300, Peter Cordes wrote:
> Not if the pattern you want to ignore is more than one line. egrep is
> purely line-by-line. This worm (or script-kiddie zombie?) always tries
> root, admin, then test, ...
That doesn't seem to be the case. The most common one use
On Tue, Sep 21, 2004 at 01:45:46PM +0100, Steve Kemp wrote:
> On Sun, 19 Sep 2004, martin f krafft wrote:
>
> > > If you ask me, logcheck should learn how to evaluate log messages in
> > > their context...
>
> If you want to have instant alerts of problems then logcheck is
> what you want.
On Sun, 19 Sep 2004, martin f krafft wrote:
> > If you ask me, logcheck should learn how to evaluate log messages in
> > their context...
If you want to have instant alerts of problems then logcheck is
what you want. If you to ignore some things and still receive timely
alerts then you're
> this point, though, just to shut up logcheck without telling it to
> > ignore all failed root login attempts.
>
> If you ask me, logcheck should learn how to evaluate log messages in
> their context...
hmm there are ideas for logcheck after sarge+1, please elaborate.
ATM logcheck
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Thurman wrote:
| On 9/19/04 1:30 PM, "martin f krafft" wrote:
|
|
|>Other than blacklisting the IPs (which is a race I am going to
|>lose), what are people doing? Are there any distinctive marks in the
|>SSH login attempt that one could filter on?
f scanning and have it automatically manipulate access lists on
> the routers, I'm not sure I really like the idea. I'm sort of leaning
> in that direction, at this point, though, just to shut up logcheck
> without telling it to ignore all failed root login attempts.
This
On 9/19/04 1:30 PM, "martin f krafft" wrote:
> Other than blacklisting the IPs (which is a race I am going to
> lose), what are people doing? Are there any distinctive marks in the
> SSH login attempt that one could filter on?
We are using our hosts.deny files to stop all ssh attempts from ALL IP
also sprach Arthur de Jong <[EMAIL PROTECTED]> [2004.09.20.1201 +0200]:
> sshd[21195]: debug1: no match: libssh-0.1
I wonder whether sshd could be somehow made to just ignore when the
banner does not match.
> I'm not particularly worries since I have PermitRootLogin
> without-password in /etc/ssh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 19 Sep 2004, martin f krafft wrote:
> Are there any distinctive marks in the SSH login attempt that one could
> filter on?
The volume in attempts isn't as high here as on your system bug this is
what I got when I set loglevel to debug:
sshd[
On Sun, Sep 19, 2004 at 04:16:39PM -0400, Noah Meyerhans wrote:
interfere with any random login based password guessing. Especially
since, from what I hear about this scanner that's responsible for all
these login attempts, it's trying mind-numbingly simple passwords, like
root/root, guest/guest,
martin f krafft <[EMAIL PROTECTED]> writes:
> Are there any distinctive marks in the SSH login attempt that one
> could filter on?
Yes, the SSH banner: my honeyd logs show that of all such attempts, 63%
use the banner 'SSH-2.0-windrone2', 35% use the banner
'SSH-2.0-libssh-0.1'.
--
,''`.
: :
gt; scripts to react to this kind of scanning and have it
> automatically manipulate access lists on the routers, I'm not sure
> I really like the idea. I'm sort of leaning in that direction, at
> this point, though, just to shut up logcheck without telling it to
> ignore all fa
lly manipulate access lists on
the routers, I'm not sure I really like the idea. I'm sort of leaning
in that direction, at this point, though, just to shut up logcheck
without telling it to ignore all failed root login attempts.
noah
pgphAykCqjpee.pgp
Description: PGP signature
On Sun, Sep 19, 2004 at 09:53:23PM +0200, Bernd Eckenfels wrote:
> You can either move your ssh to another port, that will greatly reduce the
> distributed brute force attacks, or you can put a filter with port knocking
> in front of it. Another option is to turn off password authentication,
> comp
also sprach Bernd Eckenfels <[EMAIL PROTECTED]> [2004.09.19.2153 +0200]:
> You can either move your ssh to another port, that will greatly
> reduce the distributed brute force attacks, or you can put
> a filter with port knocking in front of it. Another option is to
> turn off password authenticati
In article <[EMAIL PROTECTED]> you wrote:
> Other than blacklisting the IPs (which is a race I am going to
> lose), what are people doing? Are there any distinctive marks in the
> SSH login attempt that one could filter on?
You can either move your ssh to another port, that will greatly reduce the
also sprach Dossy Shiobara <[EMAIL PROTECTED]> [2004.09.19.2203 +0200]:
> > If I notice the scan immediately, I will occasionally blackhole
> > the source IP at our network border, but it's rare that I notice
> > in time.
>
> That's why I suggested writing something that tail's the syslog
> and de
On 2004.09.19, Noah Meyerhans <[EMAIL PROTECTED]> wrote:
> If I notice the scan immediately, I will occasionally blackhole the
> source IP at our network border, but it's rare that I notice in time.
That's why I suggested writing something that tail's the syslog and
detects the scan immediately ..
On Sun, Sep 19, 2004 at 02:42:08PM -0400, Dossy Shiobara wrote:
> > Other than blacklisting the IPs (which is a race I am going to
> > lose),
>
> Why do you say that? I haven't seen this more than a few times a week
> so I haven't bothered to do anything yet, but I'm very close to writing
> a scr
On Sun, 19 Sep 2004, Dossy Shiobara wrote:
> On 2004.09.19, martin f krafft <[EMAIL PROTECTED]> wrote:
> > Other than blacklisting the IPs (which is a race I am going to
> > lose),
> Why do you say that? I haven't seen this more than a few times a week
> so I haven't bothered to do anything yet, b
On 2004.09.19, martin f krafft <[EMAIL PROTECTED]> wrote:
> Other than blacklisting the IPs (which is a race I am going to
> lose),
Why do you say that? I haven't seen this more than a few times a week
so I haven't bothered to do anything yet, but I'm very close to writing
a script that tail's th
I am seeing millions (literally) of these in the logs of my
machines:
sshd[30216]: Failed password for root from 203.71.62.9 port 35778 ssh2
I understand that this is some kind of virus, but it's not making me
very happy because logcheck and and some of our IDS systems are
going haywire, creati
25 matches
Mail list logo
