[ale] Hack of the month...
Tony Carter
tcarter at entrusion.com
Wed Dec 14 18:14:40 EST 2005
> -----Original Message-----
>
> Dec 14 02:58:10 209.168.246.231 authpriv.info sshd[194]:
> Invalid user testing from 68.120.97.218 Dec 14 02:58:10
> 209.168.246.231 authpriv.err sshd[194]: error: Could not get
> shadow information for NOUSER Dec 14 02:58:10 209.168.246.231
> authpriv.info sshd[194]: Failed password for invalid user
> testing from 68.120.97.218 port 59698 ssh2
Chris,
I see many of these attempts on systems I monitor. Most are from automated
scanners looking for easy prey so sending email to abuse at whatever will
typically lead to nothing. Don't waste your time unless you know it's a
targeted attack.
I'd use host.allow and always ssh from a small list of machines, use port
knocker or some other method that does not give the login prompt to just
anyone..
This is a case where obscuring your port may be helpful. It'll reduce the
amount of noise in your log files and most automated scanning tools will
simply skip to then next ip if port 22 is not open.
I've been toying with the idea of putting a ssh tarpit on one of my boxes in
my honeynet and publishing the list of offending ips.
Tony
More information about the Ale
mailing list