Brute Force Attack? Should i investigate or not?

[Awalsh]

I recently received a Brute Force warning from my VPS, this has been like the first time in a while since i received one. Obviously i was considering investigating further but then i thought its probable that the "attacker" has a dynamic IP so it would be pretty pointless dont you think for me to try to. Since it was a day a go and all?

Can anyone recommend what i should do, i dont really see this as much of a threat because the "attacker" has been banned by APF/BFD.

Code:

Executed ban command:
/etc/apf/apf -d 220.134.159.73 {bfd.sshd}

The following are event logs from 220.134.159.73 on service sshd (all time stamps are GMT +0000):

Mar 24 23:04:48 heather sshd[22699]: Did not receive identification string from 220.134.159.73
Mar 24 23:04:48 heather sshd[22700]: Did not receive identification string from 220.134.159.73
Mar 24 23:04:48 heather sshd[22702]: Did not receive identification string from 220.134.159.73
Mar 24 23:04:48 heather sshd[22704]: Did not receive identification string from 220.134.159.73
Mar 24 23:25:35 heather sshd[28161]: Failed password for root from 220.134.159.73 port 3648 ssh2
Mar 24 23:25:35 heather sshd[28194]: Failed password for root from 220.134.159.73 port 3650 ssh2
Mar 24 23:25:36 heather sshd[28867]: Failed password for root from 220.134.159.73 port 3737 ssh2
Mar 24 23:25:36 heather sshd[28960]: Failed password for root from 220.134.159.73 port 3766 ssh2
Mar 24 23:25:41 heather sshd[31331]: Illegal user admin from 220.134.159.73
Mar 24 23:25:42 heather sshd[32005]: Illegal user admin from 220.134.159.73
Mar 24 23:25:43 heather sshd[31331]: Failed password for illegal user admin from 220.134.159.73 port 4570 ssh2
Mar 24 23:25:43 heather sshd[31298]: Illegal user admin from 220.134.159.73
Mar 24 23:25:44 heather sshd[32005]: Failed password for illegal user admin from 220.134.159.73 port 4634 ssh2
Mar 24 23:25:46 heather sshd[31298]: Failed password for illegal user admin from 220.134.159.73 port 4567 ssh2
Mar 24 23:25:47 heather sshd[31936]: Illegal user admin from 220.134.159.73
Mar 24 23:25:49 heather sshd[3862]: Illegal user test from 220.134.159.73
Mar 24 23:25:49 heather sshd[31936]: Failed password for illegal user admin from 220.134.159.73 port 4632 ssh2
Mar 24 23:25:51 heather sshd[3862]: Failed password for illegal user test from 220.134.159.73 port 1357 ssh2
Mar 24 23:25:55 heather sshd[5376]: Illegal user test from 220.134.159.73
Mar 24 23:25:57 heather sshd[5376]: Failed password for illegal user test from 220.134.159.73 port 2125 ssh2

[Awalsh]

Oh and no suprise that its a black listed IP from Taiwan. I keep getting attempted SMTP connections from Taiwan IP's which i just dismiss since they never get through.

[Gwaihir]

I don't think many people try this kind of thing from their home. When I looked into this type of thing I found the IPs to be from compromised boxes all over the world. Investigating and sending abuse complaints does therefore help, as the owners of those boxes are generally not aware of the problem till someone points it out and they will fix it. Then again it helps mainly the owners, not you; their box being compromised is really their problem and reporting it doesn't mean there's no others left to come back and try.

Who uses that ssh anyway? Quite probably just you? Then why don't you allow access only from your own IP (or IPs / IP range) and just ignore any others trying to connect to it?

[Awalsh]

About the emailing the box owner, im pretty sure that it is actually a box dedicated to do this kind of thing. Its been blacklisted for quite some time.

Yeh i was going to disable root login and just use my keys that i have setup (for my normal user and then SU in). But then i thought what about support, if they needed to connect if i had a problem. I suppose i could just change the setting as and when. Ive also tried binding ssh to one port and one ip but it still accepts connections on my other ip's. Hmmm ill investigate a little further

[muks]

I don't get any of that in my logs

I'm just using an ordinary firewall and changed the default shell port to something else.

[Awalsh]

im using APF and BFD (see the guide in this forum if you dont have them). Its pretty good, i think ill let this one slip.

[Awalsh]

Got another now.... Apparently from a Jaguarpc Server in another datacenter according to support: (151 attempts is a little excessive for a "mistake", support suggested that i contact the name on the IP address and ask why. Which seem's a little weird when its apparently a Jaguarpc IP and all)

Code:

Mar 26 10:18:11 heather sshd[16389]: Did not receive identification string from 209.51.147.218
Mar 26 10:18:11 heather sshd[16396]: Did not receive identification string from 209.51.147.218
Mar 26 10:18:11 heather sshd[16397]: Did not receive identification string from 209.51.147.218
Mar 26 10:18:11 heather sshd[16398]: Did not receive identification string from 209.51.147.218
Mar 26 11:09:13 heather sshd[26115]: Did not receive identification string from 209.51.147.218
Mar 26 11:09:13 heather sshd[26148]: Did not receive identification string from 209.51.147.218
Mar 26 11:09:13 heather sshd[26178]: Did not receive identification string from 209.51.147.218
Mar 26 11:09:13 heather sshd[26210]: Did not receive identification string from 209.51.147.218
Mar 26 17:58:50 heather sshd[4225]: Failed password for root from 209.51.147.218 port 57204 ssh2
Mar 26 17:58:51 heather sshd[4833]: Failed password for root from 209.51.147.218 port 57218 ssh2
Mar 26 17:58:51 heather sshd[4960]: Failed password for root from 209.51.147.218 port 57225 ssh2
Mar 26 17:58:51 heather sshd[5505]: Failed password for root from 209.51.147.218 port 57236 ssh2
Mar 26 17:58:53 heather sshd[6049]: Failed password for root from 209.51.147.218 port 57271 ssh2
Mar 26 17:58:54 heather sshd[6599]: Failed password for root from 209.51.147.218 port 57283 ssh2
Mar 26 17:58:54 heather sshd[6721]: Failed password for root from 209.51.147.218 port 57284 ssh2
Mar 26 17:58:54 heather sshd[7395]: Failed password for root from 209.51.147.218 port 57293 ssh2
Mar 26 17:58:55 heather sshd[9602]: Failed password for root from 209.51.147.218 port 57322 ssh2
Mar 26 17:58:56 heather sshd[10945]: Failed password for root from 209.51.147.218 port 57351 ssh2
Mar 26 17:58:57 heather sshd[11042]: Failed password for root from 209.51.147.218 port 57359 ssh2
Mar 26 17:58:57 heather sshd[11584]: Failed password for root from 209.51.147.218 port 57369 ssh2
Mar 26 17:58:58 heather sshd[12772]: Failed password for root from 209.51.147.218 port 57410 ssh2
Mar 26 17:58:59 heather sshd[14080]: Failed password for root from 209.51.147.218 port 57440 ssh2
Mar 26 17:58:59 heather sshd[14241]: Failed password for root from 209.51.147.218 port 57443 ssh2
Mar 26 17:59:00 heather sshd[14277]: Failed password for root from 209.51.147.218 port 57447 ssh2
Mar 26 17:59:01 heather sshd[15712]: Failed password for root from 209.51.147.218 port 57479 ssh2
Mar 26 17:59:02 heather sshd[16599]: Failed password for root from 209.51.147.218 port 57519 ssh2
Mar 26 17:59:02 heather sshd[16800]: Failed password for root from 209.51.147.218 port 57523 ssh2
Mar 26 17:59:02 heather sshd[17313]: Failed password for root from 209.51.147.218 port 57528 ssh2
Mar 26 17:59:04 heather sshd[18848]: Failed password for root from 209.51.147.218 port 57551 ssh2
Mar 26 17:59:05 heather sshd[19362]: Failed password for root from 209.51.147.218 port 57593 ssh2
Mar 26 17:59:05 heather sshd[19650]: Failed password for root from 209.51.147.218 port 57596 ssh2
Mar 26 17:59:05 heather sshd[20160]: Failed password for root from 209.51.147.218 port 57604 ssh2
Mar 26 17:59:06 heather sshd[22113]: Failed password for root from 209.51.147.218 port 57633 ssh2
Mar 26 17:59:07 heather sshd[22979]: Failed password for root from 209.51.147.218 port 57685 ssh2
Mar 26 17:59:08 heather sshd[23169]: Failed password for root from 209.51.147.218 port 57688 ssh2
Mar 26 17:59:08 heather sshd[23617]: Failed password for root from 209.51.147.218 port 57697 ssh2
Mar 26 17:59:09 heather sshd[25169]: Failed password for root from 209.51.147.218 port 57728 ssh2
Mar 26 17:59:10 heather sshd[25920]: Failed password for root from 209.51.147.218 port 57781 ssh2
Mar 26 17:59:10 heather sshd[26178]: Failed password for root from 209.51.147.218 port 57784 ssh2
Mar 26 17:59:12 heather sshd[26873]: Failed password for root from 209.51.147.218 port 57822 ssh2
Mar 26 17:59:13 heather sshd[27614]: Failed password for root from 209.51.147.218 port 57866 ssh2
Mar 26 17:59:13 heather sshd[28001]: Failed password for root from 209.51.147.218 port 57872 ssh2
Mar 26 17:59:15 heather sshd[29664]: Failed password for root from 209.51.147.218 port 57791 ssh2
Mar 26 17:59:15 heather sshd[29824]: Failed password for root from 209.51.147.218 port 57910 ssh2
Mar 26 17:59:16 heather sshd[32323]: Failed password for root from 209.51.147.218 port 57951 ssh2
Mar 26 17:59:16 heather sshd[448]: Failed password for root from 209.51.147.218 port 57962 ssh2
Mar 26 17:59:17 heather sshd[1973]: Failed password for root from 209.51.147.218 port 58014 ssh2
Mar 26 17:59:17 heather sshd[1979]: Failed password for root from 209.51.147.218 port 58018 ssh2
Mar 26 17:59:19 heather sshd[4225]: Failed password for root from 209.51.147.218 port 58076 ssh2
Mar 26 17:59:19 heather sshd[4673]: Failed password for root from 209.51.147.218 port 58085 ssh2
Mar 26 17:59:20 heather sshd[6753]: Failed password for root from 209.51.147.218 port 58154 ssh2
Mar 26 17:59:20 heather sshd[6912]: Failed password for root from 209.51.147.218 port 58159 ssh2
Mar 26 17:59:21 heather sshd[9506]: Failed password for root from 209.51.147.218 port 58212 ssh2
Mar 26 17:59:21 heather sshd[9953]: Failed password for root from 209.51.147.218 port 58219 ssh2
Mar 26 17:59:23 heather sshd[13280]: Failed password for root from 209.51.147.218 port 58285 ssh2
Mar 26 17:59:23 heather sshd[13440]: Failed password for root from 209.51.147.218 port 58291 ssh2
Mar 26 17:59:24 heather sshd[15584]: Failed password for root from 209.51.147.218 port 58341 ssh2
Mar 26 17:59:24 heather sshd[15970]: Failed password for root from 209.51.147.218 port 58348 ssh2
Mar 26 17:59:26 heather sshd[18368]: Failed password for root from 209.51.147.218 port 58415 ssh2
Mar 26 17:59:26 heather sshd[18595]: Failed password for root from 209.51.147.218 port 58419 ssh2
Mar 26 17:59:27 heather sshd[19251]: Failed password for root from 209.51.147.218 port 58468 ssh2
Mar 26 17:59:27 heather sshd[19261]: Failed password for root from 209.51.147.218 port 58475 ssh2
Mar 26 17:59:28 heather sshd[22496]: Failed password for root from 209.51.147.218 port 58544 ssh2
Mar 26 17:59:29 heather sshd[22722]: Failed password for root from 209.51.147.218 port 58548 ssh2
Mar 26 17:59:30 heather sshd[22845]: Failed password for root from 209.51.147.218 port 58599 ssh2
Mar 26 17:59:30 heather sshd[23042]: Failed password for root from 209.51.147.218 port 58604 ssh2
Mar 26 17:59:31 heather sshd[25536]: Failed password for root from 209.51.147.218 port 58677 ssh2
Mar 26 17:59:31 heather sshd[25544]: Failed password for root from 209.51.147.218 port 58682 ssh2
Mar 26 17:59:32 heather sshd[25915]: Failed password for root from 209.51.147.218 port 58728 ssh2
Mar 26 17:59:33 heather sshd[26048]: Failed password for root from 209.51.147.218 port 58735 ssh2
Mar 26 17:59:34 heather sshd[27367]: Failed password for root from 209.51.147.218 port 58807 ssh2
Mar 26 17:59:34 heather sshd[27372]: Failed password for root from 209.51.147.218 port 58811 ssh2
Mar 26 17:59:35 heather sshd[28900]: Failed password for root from 209.51.147.218 port 58859 ssh2
Mar 26 17:59:36 heather sshd[29952]: Failed password for root from 209.51.147.218 port 58880 ssh2
Mar 26 17:59:37 heather sshd[514]: Failed password for root from 209.51.147.218 port 58937 ssh2
Mar 26 17:59:37 heather sshd[674]: Failed password for root from 209.51.147.218 port 58941 ssh2
Mar 26 17:59:38 heather sshd[1953]: Failed password for root from 209.51.147.218 port 58991 ssh2
Mar 26 17:59:38 heather sshd[1977]: Failed password for root from 209.51.147.218 port 59007 ssh2
Mar 26 17:59:39 heather sshd[4833]: Failed password for root from 209.51.147.218 port 59075 ssh2
Mar 26 17:59:40 heather sshd[5058]: Failed password for root from 209.51.147.218 port 59080 ssh2
Mar 26 17:59:41 heather sshd[7010]: Failed password for root from 209.51.147.218 port 59146 ssh2
Mar 26 17:59:41 heather sshd[7906]: Failed password for root from 209.51.147.218 port 59168 ssh2
Mar 26 17:59:42 heather sshd[11074]: Failed password for root from 209.51.147.218 port 59241 ssh2
Mar 26 17:59:42 heather sshd[11456]: Failed password for root from 209.51.147.218 port 59252 ssh2
Mar 26 17:59:44 heather sshd[14274]: Failed password for root from 209.51.147.218 port 59325 ssh2
Mar 26 17:59:44 heather sshd[14297]: Failed password for root from 209.51.147.218 port 59343 ssh2
Mar 26 17:59:45 heather sshd[16549]: Failed password for root from 209.51.147.218 port 59417 ssh2
Mar 26 17:59:45 heather sshd[16557]: Failed password for root from 209.51.147.218 port 59421 ssh2
Mar 26 17:59:45 heather sshd[19393]: Illegal user deutch from 209.51.147.218
Mar 26 17:59:46 heather sshd[17891]: Failed password for root from 209.51.147.218 port 59501 ssh2
Mar 26 17:59:47 heather sshd[18752]: Failed password for root from 209.51.147.218 port 59523 ssh2
Mar 26 17:59:47 heather sshd[22722]: Illegal user deutch from 209.51.147.218
Mar 26 17:59:47 heather sshd[22748]: Illegal user deutch from 209.51.147.218
Mar 26 17:59:48 heather sshd[19259]: Failed password for root from 209.51.147.218 port 59597 ssh2
Mar 26 17:59:48 heather sshd[19393]: Failed password for illegal user deutch from 209.51.147.218 port 59602 ssh2
Mar 26 17:59:48 heather sshd[24288]: Illegal user german from 209.51.147.218
Mar 26 17:59:49 heather sshd[22722]: Failed password for illegal user deutch from 209.51.147.218 port 59694 ssh2
Mar 26 17:59:49 heather sshd[22748]: Failed password for illegal user deutch from 209.51.147.218 port 59716 ssh2
Mar 26 17:59:49 heather sshd[25911]: Illegal user german from 209.51.147.218
Mar 26 17:59:50 heather sshd[26307]: Illegal user german from 209.51.147.218
Mar 26 17:59:51 heather sshd[23937]: Failed password for root from 209.51.147.218 port 59768 ssh2
Mar 26 17:59:51 heather sshd[24288]: Failed password for illegal user german from 209.51.147.218 port 59774 ssh2
Mar 26 17:59:51 heather sshd[26876]: Illegal user deutch from 209.51.147.218
Mar 26 17:59:51 heather sshd[27010]: Illegal user hitler from 209.51.147.218
Mar 26 17:59:52 heather sshd[25911]: Failed password for illegal user german from 209.51.147.218 port 59847 ssh2
Mar 26 17:59:52 heather sshd[26307]: Failed password for illegal user german from 209.51.147.218 port 59860 ssh2
Mar 26 17:59:52 heather sshd[29347]: Illegal user hitler from 209.51.147.218
Mar 26 17:59:53 heather sshd[30208]: Illegal user hitler from 209.51.147.218
Mar 26 17:59:53 heather sshd[26876]: Failed password for illegal user deutch from 209.51.147.218 port 59922 ssh2
Mar 26 17:59:53 heather sshd[27010]: Failed password for illegal user hitler from 209.51.147.218 port 59928 ssh2
Mar 26 17:59:54 heather sshd[32483]: Illegal user german from 209.51.147.218
Mar 26 17:59:54 heather sshd[321]: Illegal user deutchland from 209.51.147.218
Mar 26 17:59:55 heather sshd[29347]: Failed password for illegal user hitler from 209.51.147.218 port 60013 ssh2
Mar 26 17:59:55 heather sshd[30208]: Failed password for illegal user hitler from 209.51.147.218 port 60033 ssh2
Mar 26 17:59:55 heather sshd[1980]: Illegal user deutchland from 209.51.147.218
Mar 26 17:59:55 heather sshd[2848]: Illegal user deutchland from 209.51.147.218
Mar 26 17:59:56 heather sshd[32483]: Failed password for illegal user german from 209.51.147.218 port 60099 ssh2
Mar 26 17:59:56 heather sshd[321]: Failed password for illegal user deutchland from 209.51.147.218 port 60102 ssh2
Mar 26 17:59:56 heather sshd[5219]: Illegal user hitler from 209.51.147.218
Mar 26 17:59:57 heather sshd[5440]: Illegal user adele from 209.51.147.218
Mar 26 17:59:57 heather sshd[1980]: Failed password for illegal user deutchland from 209.51.147.218 port 60186 ssh2
Mar 26 17:59:58 heather sshd[2848]: Failed password for illegal user deutchland from 209.51.147.218 port 60206 ssh2
Mar 26 17:59:58 heather sshd[8192]: Illegal user adele from 209.51.147.218
Mar 26 17:59:58 heather sshd[9186]: Illegal user adele from 209.51.147.218
Mar 26 17:59:59 heather sshd[5219]: Failed password for illegal user hitler from 209.51.147.218 port 60272 ssh2
Mar 26 17:59:59 heather sshd[5440]: Failed password for illegal user adele from 209.51.147.218 port 60278 ssh2
Mar 26 17:59:59 heather sshd[11746]: Illegal user deutchland from 209.51.147.218
Mar 26 17:59:59 heather sshd[11904]: Illegal user alexa from 209.51.147.218
Mar 26 18:00:00 heather sshd[8192]: Failed password for illegal user adele from 209.51.147.218 port 60355 ssh2
Mar 26 18:00:00 heather sshd[9186]: Failed password for illegal user adele from 209.51.147.218 port 60376 ssh2
Mar 26 18:00:01 heather sshd[16567]: Illegal user alexa from 209.51.147.218
Mar 26 18:00:01 heather sshd[18958]: Illegal user alexa from 209.51.147.218
Mar 26 18:00:02 heather sshd[11904]: Failed password for illegal user alexa from 209.51.147.218 port 60452 ssh2
Mar 26 18:00:02 heather sshd[11746]: Failed password for illegal user deutchland from 209.51.147.218 port 60448 ssh2
Mar 26 18:00:03 heather sshd[23808]: Illegal user adele from 209.51.147.218
Mar 26 18:00:03 heather sshd[16567]: Failed password for illegal user alexa from 209.51.147.218 port 60531 ssh2
Mar 26 18:00:03 heather sshd[24352]: Illegal user alexandra from 209.51.147.218
Mar 26 18:00:04 heather sshd[18958]: Failed password for illegal user alexa from 209.51.147.218 port 60548 ssh2
Mar 26 18:00:04 heather sshd[26458]: Illegal user alexandra from 209.51.147.218
Mar 26 18:00:05 heather sshd[27267]: Illegal user alexandra from 209.51.147.218
Mar 26 18:00:12 heather sshd[24352]: Failed password for illegal user alexandra from 209.51.147.218 port 60623 ssh2
Mar 26 18:00:12 heather sshd[23808]: Failed password for illegal user adele from 209.51.147.218 port 60611 ssh2
Mar 26 18:00:12 heather sshd[1825]: Illegal user alisha from 209.51.147.218
Mar 26 18:00:12 heather sshd[26458]: Failed password for illegal user alexandra from 209.51.147.218 port 60679 ssh2
Mar 26 18:00:12 heather sshd[27267]: Failed password for illegal user alexandra from 209.51.147.218 port 60706 ssh2
Mar 26 18:00:13 heather sshd[4225]: Illegal user alisha from 209.51.147.218
Mar 26 18:00:13 heather sshd[4321]: Illegal user alisha from 209.51.147.218
Mar 26 18:00:14 heather sshd[1825]: Failed password for illegal user alisha from 209.51.147.218 port 32831 ssh2
Mar 26 18:00:15 heather sshd[12960]: Illegal user amanda from 209.51.147.218
Mar 26 18:00:15 heather sshd[4225]: Failed password for illegal user alisha from 209.51.147.218 port 32891 ssh2
Mar 26 18:00:15 heather sshd[4321]: Failed password for illegal user alisha from 209.51.147.218 port 32895 ssh2
Mar 26 18:00:16 heather sshd[13953]: Illegal user amanda from 209.51.147.218
Mar 26 18:00:16 heather sshd[14016]: Illegal user amanda from 209.51.147.218
Mar 26 18:00:17 heather sshd[12960]: Failed password for illegal user amanda from 209.51.147.218 port 33115 ssh2
Mar 26 18:00:18 heather sshd[19169]: Illegal user ammelie from 209.51.147.218
Mar 26 18:00:18 heather sshd[13953]: Failed password for illegal user amanda from 209.51.147.218 port 33199 ssh2
Mar 26 18:00:18 heather sshd[14016]: Failed password for illegal user amanda from 209.51.147.218 port 33210 ssh2
Mar 26 18:00:18 heather sshd[20480]: Illegal user ammelie from 209.51.147.218
Mar 26 18:00:18 heather sshd[20578]: Illegal user ammelie from 209.51.147.218
Mar 26 18:00:20 heather sshd[19169]: Failed password for illegal user ammelie from 209.51.147.218 port 33425 ssh2
Mar 26 18:00:20 heather sshd[25282]: Illegal user andrea from 209.51.147.218
Mar 26 18:00:21 heather sshd[20480]: Failed password for illegal user ammelie from 209.51.147.218 port 33499 ssh2
Mar 26 18:00:21 heather sshd[20578]: Failed password for illegal user ammelie from 209.51.147.218 port 33500 ssh2
Mar 26 18:00:21 heather sshd[26210]: Illegal user andrea from 209.51.147.218
Mar 26 18:00:21 heather sshd[26243]: Illegal user andrea from 209.51.147.218
Mar 26 18:00:23 heather sshd[25282]: Failed password for illegal user andrea from 209.51.147.218 port 33685 ssh2
Mar 26 18:00:23 heather sshd[28867]: Illegal user angelika from 209.51.147.218
Mar 26 18:00:23 heather sshd[26210]: Failed password for illegal user andrea from 209.51.147.218 port 33757 ssh2
Mar 26 18:00:24 heather sshd[26243]: Failed password for illegal user andrea from 209.51.147.218 port 33758 ssh2
Mar 26 18:00:24 heather sshd[30018]: Illegal user angelika from 209.51.147.218
Mar 26 18:00:24 heather sshd[30027]: Illegal user angelika from 209.51.147.218
Mar 26 18:00:25 heather sshd[28867]: Failed password for illegal user angelika from 209.51.147.218 port 33961 ssh2

[knoxhosting.com]

My cpanel logs are always filled with those kinds of failed logins. I wish there were an easy way to discourage repeated attempts by having Linux completely block an IP address for, say, 8 hours after 5 invalid logins.

[Gwaihir]

Awalsh: JagPC has but one data center..

knoxhosting.com: look into pam.tally. It offers such block after x tries functionality. I handle an intranet server that simply locks down the shell account after five failed attempts (without reopening after y hours). Of course, I do have the luxury of going to the console (the machine itself) to open it back up in such a case, or that wouldn't make sense. It also only allows attempts from a very limited IP range to begin with.

[jason]

JPC has only one datacenter, but they do have techs at different locations. For example, Masood is is Canada, I believe, after hours support is in Pakistan or India, and some of the Houston-area staff work from home (and may have different ISPs).

Still, more than a few failed attemps seems a bit excessive.

--Jason

[Awalsh]

I asked support if the IP owner should be notified and they said:

You can check with the owner but the IP appears to be of our another data center GNAX.

I am using BFD to block them and i have bound ssh to one ip and turned PermitRootLogin to off. I dont suppose there is any form of blacklist somewhere like there is for spam that i could use to check if the IP's are from known brute force attackers?

Andrew

[Gwaihir]

I guess they meant it wouldn't directly put you in contact with the owner / operator of the box? Personally I'd consider it a positive sign if the IP is owned by a well known datacenter (well, known well enough for the support tech to recognize it). That sort of organizations usually doesn't take lightly towards abuse. That means an excellent chance that your report will be handled well, rather than ignored as too many hosts and ISPs still do (especially in countries like China and Russia).

[Awalsh]

Found the IP details here: http://www.whois.sc/209.51.147.218 there is no abuse email listed. I think i will just let this one slip. Does anyone know of an SBL (Spam Blocking List) type system for preventing Brute Force Attacks? as that would be extremely useful.

[Ron]

Why are you calling this a brute force attack? Just curious, as I've always thought of a brute force attack as repeatedly trying a single known userid (like root) with every possible character combination as a password (i.e. a, aa, ab, ac, ad ... aaaaaaab, aaaaaaac, etc.)

And I would think that there would be millions of attempts in your logfile for a "brute force" attack. This looks more like a little probing or a fishing expedition (not phishing).

[Gwaihir]

I guess because it is still based on the concept of a brute force attack? I.e. just guessing blindly till you get a hit, a username + password combo that gives access. Probably the boxes doing it are indeed working hard on it, using all the brute force they have but because the attempts are spread over so many targets, it shows up as "just some probing". Then again.. they clearly use a dictionairy of common usernames and I presume one of common passwords as well; that's not "brute force"; that's a dictionairy attack.

I suppose the strategy of spreading across many targets both gets less vicious responses from administrators like Awalsh, as well as more results per day, because they can try the most common passwords on many boxes, rather than stick with one box that might never yield and spend all energy on that.

These types do log some of their results and / or exchange lists of possible targets btw: our intranet server (connected to the net with SSH only) had been on-line for over two years before the first one happened to stumble over the IP and notice there was SSH up. After that it quickly started to happen more and more often, so they do not (only) probe IPs completely at random.