Server Hack Attempts

[atechstl]

My firewall emails me on every SSH attemp failed or success. After 5 attempts they get added to the blocked list. Today seems a little unusual though. We have had 20 attempts blocked. On a good day we normaly get about 5 - 10. 20 just seems a little on the high side.

Does anybody else experience situations like this or even worse?

[JPC-NickO]

Hi,

The amount of attempts varies based on the net-block "popularity" with the bots that do the scanning. For example one machine I used to administrate at a large university saw anywhere between 3000-9000 attempts per day.

My advice would be to make sure that any accounts that you permit login from have a secure password. (e.g. at least 8 alpha-numeric with symbols) and/or use public key authentication instead of passwords.

If you see a large number of attempts from a single network you might want to consider looking up the net-block and blocking the entire network if it is feasible.

[Vin DSL]

Does anybody else experience situations like this or even worse?

I *guess* I'm kind of an odd bird...

I have production sites here at JagPC (CentOS) - but I also have personal sites here at my home (Slackware).

Now, it's funny you should mention it, but I've had a LOT of SSH requests to my personal sites at my home lately!

The only reason I know this is because I run a proggie, here on my LAN, called Kiwi Syslog Daemon (the program that MS forgot to steal) and it reports anything going on, on my LAN, as well as Windows EventLogs on individual LAN machines via SNARE.

Here's some links so you can catch-up (if you don't know what I'm talking about)...

Slackware: http://www.slackware.com/

Kiwi Syslog Daemon: http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/

SNARE: http://www.intersectalliance.com/projects/SnareWindows/

Anyway, I'm have kind of an A-type personality - and, YES, I've been getting SSH requests up the (if you'll pardon the pun) Yin-Yang the last few days from China.

I *assume* the same thing is happening across the web - at my house - here at JagPC - but, I'm too busy to check it out.

Anyway, I'm NOT worried about it! I think The Chinks are just trying to check the universe for flaws in the fabric of the Internet - for use in the upcoming cyberwar - that's all!

[Ron]

I've been getting "buried" by attempts from The Netherlands lately.

[Vin DSL]

If you see a large number of attempts from a single network you might want to consider looking up the net-block and blocking the entire network if it is feasible.

Yes, that's very prudent, Nick! Kudos - but these ppl don't even know what you're talking about - I'm sure...

I've been doing this a long time, and you're absolutely right!

Web sites are like swimming with sharks. Sometimes I *feel* like a peacock in the middle of a flock of penguins, you know? Thus, a peacock in the middle of sharks.

And, as the story goes, every once in a while one of these penguins happens to see a shark and freaks out. Do you ever *feel* that way - or is it just me?

So, what does a peacock tell a penguin before being eaten by a shark - that's the question on everyone's mind?

If you see a large number of sharks - watch out!!!

[Vin DSL]

I've been getting "buried" by attempts from The Netherlands lately.

Oh, shut up!

I'm having fun here...

Play along, will you, dogman?

If you aren't nice, I'll cut TA loose on you...

[Ron]

I'm sorry, I must have missed the frivolity somewhere?

[Vin DSL]

Maybe it's the time difference...

Why are you up so late/early?

That's the only thing I wonder about...

Not the little <explicative deleted> trying to get into my SSH!

[Vin DSL]

Heh! Sorry if acting like an 800lb peacock...

Really, when you think about it - are shell accounts really that prevalent nowadays?

I guess so...

I remember when I first came here to JagPC - they were kind of an anomaly!

Anyway, if you're on a VPS/Dedicated account, I suppose you could always shuck it off to another port, no?

[thecoalman]

Anyway, if you're on a VPS/Dedicated account, I suppose you could always shuck it off to another port, no?

Yes, I was getting about 500-1000 failed login attempts on the the default port per day. Installed APF and BFD and BFD was banning about 2 or 3 IP's per day. Moved the port and haven't had a single ban since for failed root logins.

My advice would be to make sure that any accounts that you permit login from have a secure password. (e.g. at least 8 alpha-numeric with symbols)

I'm using 64 is that sufficient?

https://www.grc.com/passwords.htm

[JPC-NickO]

Yes, that's very prudent, Nick! Kudos - but these ppl don't even know what you're talking about - I'm sure...

Hehe, I guess I should have elaborated a bit.

If for example you got a large number of requests from 69.73.130.240, 69.73.131.123, etc. And you notice that the first few dotted numbers are the same. e.g. "69.73.X.X"

You should do a whois to see who owns the network.
http://whois.domaintools.com/69.73.130.240

In this case you can see that 69.73.128.0/18 is owned by JaguarPC. You would not want to block the entire network in the case but report it to the abuse handle (abuse@jaguarpc.com).

I'm using 64 is that sufficient?

https://www.grc.com/passwords.htm

A bit of overkill don't you think? IMHO if you can't memorize it your probably better off using public key authentication than keeping those passwords around in a text file or word document.

On my personal servers I find that worrying about this is a waste of time. I don't allow direct root login without public key authentication and I use the NetFilter (iptables) recent module to block connection attempts after 6 in 1 minute.

My primary login on my home server allows password authentication but the password is 16 characters long using a-z,A-Z,0-9, and symbols. I run ssh-agent on this server so I can login to my dedicated servers from anywhere (they only permit public key authentication).

In five years I have not once had my servers compromised via ssh (or any other means).

I find changing the ssh port to be more troublesome than useful and if you must do it I recommend binding on both 22 and an alternate port and then having a white-list for port 22. i.e. only your ISP or places you commonly connect from. If you happen to be out of town you can still use the alternative port.

[impleri]

I'm somewhat lazy. Root is not allowed to log in directly at all via SSH. I only have one user account with access to a regular shell. Other users who need shell access have a jailed shell.
I like having a long password, but I hate memorizing it. So, I pick something easy to remember (e.g. any one of those bad-to-use passwords) and run it through a hash program (md5, etc). The resulting 32-character string is the password I use for my root login. I do not keep a password file, but I do utilize a hash program to get the full password. I do not run the hash when logged into my server just in case. This password is changed every 2 weeks (when I'm on top of things). The user login password is changed less often, but it also must be 8 alpha-numerics (typically by putting something else through a hash and taking the first 8 characters, then changing the cAsE to have at least 2 lowercase and 2 uppercase). Theoretically, my password is easy to guess, but one needs to be a bit more cunning than a standard attack.