Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Say "twenty-three-skiddoo" to logout.


devel / comp.security.ssh / Re: SSH brute force breakin attempts

SubjectAuthor
* SSH brute force breakin attemptsS.K.R. de Jong
+- Re: SSH brute force breakin attemptsDoug McIntyre
+* Re: SSH brute force breakin attemptsWilliam Unruh
|`* Re: SSH brute force breakin attemptsS.K.R. de Jong
| `* Re: SSH brute force breakin attemptsWilliam Unruh
|  `* Re: SSH brute force breakin attemptsS.K.R. de Jong
|   `- Re: SSH brute force breakin attemptsWilliam Unruh
+- Re: SSH brute force breakin attemptsMarc Haber
`* Re: SSH brute force breakin attemptsChris Green
 +* Re: SSH brute force breakin attemptsMarc Haber
 |+- Re: SSH brute force breakin attemptsChris Green
 |`* Re: SSH brute force breakin attemptsChris Green
 | `- Re: SSH brute force breakin attemptsMarc Haber
 `- Re: SSH brute force breakin attemptsS.K.R. de Jong

1
Re: SSH brute force breakin attempts

<s54jce$5vo$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=219&group=comp.security.ssh#219

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 17:11:42 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 11
Message-ID: <s54jce$5vo$1@gioia.aioe.org>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
<s54fdt$21t$1@gioia.aioe.org> <s54gea$frn$1@dont-email.me>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
 by: S.K.R. de Jong - Tue, 13 Apr 2021 17:11 UTC

On Tue, 13 Apr 2021 16:21:30 +0000, William Unruh wrote:

> The probabiliity of an attack succeeding is directly proportional to
> the number of attempts they make. 0 attempts means 0 probability, no
> matter what other defenses you have. It is called defense in depth. Like
> the Challenger disaster-- it is when you assume that a defense line is
> irrelevant, since there are other defenses, that disasters happen.

True. I am not too concerned though, all the more so because I
don't allow password authentication from hosts in the Internet.

Re: SSH brute force breakin attempts

<s54r5i$817$1@dont-email.me>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=220&group=comp.security.ssh#220

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 19:24:34 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 21
Message-ID: <s54r5i$817$1@dont-email.me>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
<s54fdt$21t$1@gioia.aioe.org> <s54gea$frn$1@dont-email.me>
<s54jce$5vo$1@gioia.aioe.org>
Injection-Date: Tue, 13 Apr 2021 19:24:34 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e44dbafca45e9aac42dd9c6bef2eb30b";
logging-data="8231"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Fr/0Y7REj60io7xk17taj"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:XQ+Ett0tEOvRNeek7HNzvWWN5Hw=
 by: William Unruh - Tue, 13 Apr 2021 19:24 UTC

On 2021-04-13, S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
> On Tue, 13 Apr 2021 16:21:30 +0000, William Unruh wrote:
>
>> The probabiliity of an attack succeeding is directly proportional to
>> the number of attempts they make. 0 attempts means 0 probability, no
>> matter what other defenses you have. It is called defense in depth. Like
>> the Challenger disaster-- it is when you assume that a defense line is
>> irrelevant, since there are other defenses, that disasters happen.
>
> True. I am not too concerned though, all the more so because I
> don't allow password authentication from hosts in the Internet.

Good idea. However, this means that the external call actually runs the
sshd daemon, which is what then decides that what it receives is an
password based request, and looks up to check that this is actually
coming from the internet. Ie, there is an opening for some bugs in sshd
to rear their ugly head and allow a niche for the remote attacker to get
in. If however, the system never actually delivers the attempt to sshd
at all, because it is coming in on a port where sshd is not listening,
then the holes in sshd are irrelevant.
>

Re: SSH brute force breakin attempts

<ohdhkh-87un1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=221&group=comp.security.ssh#221

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 22:03:20 +0100
Lines: 16
Message-ID: <ohdhkh-87un1.ln1@esprimo.zbmc.eu>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu> <s53rpg$sbu$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net V/sPXPyhi9f5auj3E0/rAA7CBG957ReWaehaHiNe+UwFNHtjA=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:xsY12VCdX/JxrRvCPmBQTLqFR3g=
User-Agent: tin/2.4.5-20200522 ("Millburn") (Linux/5.8.0-48-generic (x86_64))
 by: Chris Green - Tue, 13 Apr 2021 21:03 UTC

Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
> Chris Green <cl@isbd.net> wrote:
> >If they're attacking an ssh login they're only
> >going to get two or three tries before the delays become very long
> >indeed.
>
> Why? Has sshd implemented such a scheme lately? Or do you assume that
> everybody is using fail2ban or a network rate limit mechanism?
>
On [x]ubuntu systems there is a default failed login delay of a couple
of seconds, so it's no ssh specifically but it's there alright. I'm
not sure if other distributions do the same.

--
Chris Green
·

Re: SSH brute force breakin attempts

<H-2dnadl0_P-eeT9nZ2dnUU7-cudnZ2d@giganews.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=224&group=comp.security.ssh#224

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!2.eu.feeder.erje.net!feeder.erje.net!feeder1.feed.usenet.farm!feed.usenet.farm!tr3.eu1.usenetexpress.com!feeder.usenetexpress.com!tr3.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!buffer1.nntp.dca1.giganews.com!buffer2.nntp.dca1.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Fri, 16 Apr 2021 14:24:19 -0500
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
References: <s52ntt$1tkb$1@gioia.aioe.org>
From: mer...@dork.geeks.org (Doug McIntyre)
User-Agent: nn/6.7.3
Message-ID: <H-2dnadl0_P-eeT9nZ2dnUU7-cudnZ2d@giganews.com>
Date: Fri, 16 Apr 2021 14:24:19 -0500
Lines: 24
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-cWLpBY9prsqD/bWdYLxm31X6hqcOP6gyhgxXxYzBLVuBIedaWgyzl+JTriwf6E6JBWyy8VzMMYvhI+p!QiMBWhD50+Lya13dI4QQni8yxbfysL7vT0t7AXcKkRVKNwbCiEFh1gR0LqN4rmgI8MHc51lOJ7Yr!Lg==
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 1812
 by: Doug McIntyre - Fri, 16 Apr 2021 19:24 UTC

"S.K.R. de Jong" <SKRdJ@nowhere.net> writes:
> Have you guys noticed something similar in your logs? I am
>curious because this decrease more or less has coincided with a change of
>ISP on my side, which implies that the Internet-visible static IP address
>that my SSH daemon is listening at has changed. The actual domain name is
>the same though.

Different IP ranges get scanned at different rates.

If there is something up and longstanding, it gets probed more than
space that had been empty for months/years before you occupying it,
which gets probed less because there was nothing there before.

Also, I think all the "white-hats" scanning IP space (ie. think Shodan),
probably far outnumber the crackers scanning IP space.

So many people trying to look out for you, eating up your network
bandwidth.

Sigh.

--
Doug McIntyre
doug@themcintyres.us

SSH brute force breakin attempts

<s52ntt$1tkb$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=332&group=comp.security.ssh#332

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 00:17:01 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 25
Message-ID: <s52ntt$1tkb$1@gioia.aioe.org>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
 by: S.K.R. de Jong - Tue, 13 Apr 2021 00:17 UTC

I have a system with an SSH server accessible from the Internet.
For the last few years, I have been monitoring a steady flow of brute
force breakin attempts, at an average rate of at least one attempt per
minute, significantly more during peak hours.

Remarkably, starting a few weeks ago, this rate has fallen
dramatically, to less than one per hour, even during those times of the
day when I would usually register several attempts per minute.

Have you guys noticed something similar in your logs? I am
curious because this decrease more or less has coincided with a change of
ISP on my side, which implies that the Internet-visible static IP address
that my SSH daemon is listening at has changed. The actual domain name is
the same though.

I just wonder whether it is the case that would-be crackers are
scanning static IP addresses pools corresponding to some ISPs, while
leaving other ISPs more or less alone, perhaps because they are not quite
as well-known - my previous ISP has a much higher profile than my new
one, although the service from the new one is (so far) just as reliable,
while being much faster and cheaper.

Anyway, I would appreciate it if you guys could share your
experiences on these issues.

Re: SSH brute force breakin attempts

<s53683$tg3$1@dont-email.me>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=333&group=comp.security.ssh#333

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 04:21:24 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 41
Message-ID: <s53683$tg3$1@dont-email.me>
References: <s52ntt$1tkb$1@gioia.aioe.org>
Injection-Date: Tue, 13 Apr 2021 04:21:24 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e44dbafca45e9aac42dd9c6bef2eb30b";
logging-data="30211"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18Jr6lHpVpn1HVIRSpeFk0m"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:tvm2ZJNk1n2GAmoWMjjjgi3wVc0=
 by: William Unruh - Tue, 13 Apr 2021 04:21 UTC

On 2021-04-13, S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
> I have a system with an SSH server accessible from the Internet.
> For the last few years, I have been monitoring a steady flow of brute
> force breakin attempts, at an average rate of at least one attempt per
> minute, significantly more during peak hours.
>
> Remarkably, starting a few weeks ago, this rate has fallen
> dramatically, to less than one per hour, even during those times of the
> day when I would usually register several attempts per minute.
>
> Have you guys noticed something similar in your logs? I am
> curious because this decrease more or less has coincided with a change of
> ISP on my side, which implies that the Internet-visible static IP address
> that my SSH daemon is listening at has changed. The actual domain name is
> the same though.
>
> I just wonder whether it is the case that would-be crackers are
> scanning static IP addresses pools corresponding to some ISPs, while
> leaving other ISPs more or less alone, perhaps because they are not quite
> as well-known - my previous ISP has a much higher profile than my new
> one, although the service from the new one is (so far) just as reliable,
> while being much faster and cheaper.
>
> Anyway, I would appreciate it if you guys could share your
> experiences on these issues.
>
Change the port on which sshd listens. (in /etc/ssh/sshd_config) and
then on your various machines that you log into your machine from place

place
Host donald.duck.com # Or whatever the name of your machine is
Port 12345 # Or whatever port you told your sshd to listen on

Then ssh will use that port instead of 22 and your attackers will all be
switched off. Of course if you try to log in via ssh from some other
machine where you have not installed that stuff into ssh_config, you
will have to remember that port number
ssh -P12345 donald.duck.com

Re: SSH brute force breakin attempts

<s53h4b$92u$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=334&group=comp.security.ssh#334

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a672.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 09:27:07 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s53h4b$92u$1@news1.tnib.de>
References: <s52ntt$1tkb$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 13 Apr 2021 07:27:07 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a672.versanet.de:92.116.166.114";
logging-data="9310"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Tue, 13 Apr 2021 07:27 UTC

"S.K.R. de Jong" <SKRdJ@nowhere.net> wrote:
> I have a system with an SSH server accessible from the Internet.
>For the last few years, I have been monitoring a steady flow of brute
>force breakin attempts, at an average rate of at least one attempt per
>minute, significantly more during peak hours.
>
> Remarkably, starting a few weeks ago, this rate has fallen
>dramatically, to less than one per hour, even during those times of the
>day when I would usually register several attempts per minute.
>
> Have you guys noticed something similar in your logs? I am
>curious because this decrease more or less has coincided with a change of
>ISP on my side, which implies that the Internet-visible static IP address
>that my SSH daemon is listening at has changed. The actual domain name is
>the same though.

The frequency of those brute-force attacks varies dramatically by
target network. I have servers in various hosting networks and some of
those get tenfold the amount of ssh probes than others. So, it is just
different characteristics of background noise in different parts of
the Internet.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: SSH brute force breakin attempts

<pfvfkh-seik1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=335&group=comp.security.ssh#335

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 08:57:13 +0100
Lines: 22
Message-ID: <pfvfkh-seik1.ln1@esprimo.zbmc.eu>
References: <s52ntt$1tkb$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net 2Xhcb/AKqg40UQBeUsi59Qd4nEsmvm1nKO5WXhlBTz1PyhZL4=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:XZeySzi270lbzKUi8nq7Bp96eMM=
User-Agent: tin/2.4.5-20200522 ("Millburn") (Linux/5.8.0-48-generic (x86_64))
 by: Chris Green - Tue, 13 Apr 2021 07:57 UTC

S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
> I have a system with an SSH server accessible from the Internet.
> For the last few years, I have been monitoring a steady flow of brute
> force breakin attempts, at an average rate of at least one attempt per
> minute, significantly more during peak hours.
>
These aren't really 'brute force' attempts surely? A brute force
attempt is one that sequences through every possible password
combination sequentially, often starting with shorter ones and moving
on to longer ones until a match is obtained. A brute force attempt to
break a password depends on having fast and unlimited access to the
encoded string you're attempting to guess.

What you're seeing I would call 'opportunistic' attempts where the
attacker tries the obvious default passwords like 'passw0rd',
'abcdefgh' and so on. If they're attacking an ssh login they're only
going to get two or three tries before the delays become very long
indeed.

--
Chris Green
·

Re: SSH brute force breakin attempts

<s53rpg$sbu$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=336&group=comp.security.ssh#336

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a672.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 12:29:04 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s53rpg$sbu$1@news1.tnib.de>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 13 Apr 2021 10:29:04 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a672.versanet.de:92.116.166.114";
logging-data="29054"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Tue, 13 Apr 2021 10:29 UTC

Chris Green <cl@isbd.net> wrote:
>If they're attacking an ssh login they're only
>going to get two or three tries before the delays become very long
>indeed.

Why? Has sshd implemented such a scheme lately? Or do you assume that
everybody is using fail2ban or a network rate limit mechanism?

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: SSH brute force breakin attempts

<0n9gkh-m77l1.ln1@esprimo.zbmc.eu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=337&group=comp.security.ssh#337

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 11:51:44 +0100
Lines: 22
Message-ID: <0n9gkh-m77l1.ln1@esprimo.zbmc.eu>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu> <s53rpg$sbu$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net BUv3Ys3Uo8wYbde3FXtHEQDM19S2fsfJ28pQMc41ggH4f/x/o=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:9a5qQuM1c4Mz7+ialPXOyz070DY=
User-Agent: tin/2.4.5-20200522 ("Millburn") (Linux/5.8.0-48-generic (x86_64))
 by: Chris Green - Tue, 13 Apr 2021 10:51 UTC

Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
> Chris Green <cl@isbd.net> wrote:
> >If they're attacking an ssh login they're only
> >going to get two or three tries before the delays become very long
> >indeed.
>
> Why? Has sshd implemented such a scheme lately? Or do you assume that
> everybody is using fail2ban or a network rate limit mechanism?
>
Well all my ssh logins, by default (i.e. as installed xubuntu systems),
have a several second delay after even the first failed login and I
think it gets longer after further failures. This is even for logins
across my LAN where I'm certainly not running fail2ban or anything
like that.

Even a 1 second delay would prevent any sort of brute force attack
from working, you surely need millions of attempts for it to have any
hope of success.

--
Chris Green
·

Re: SSH brute force breakin attempts

<s54fdt$21t$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=338&group=comp.security.ssh#338

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 16:04:13 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 18
Message-ID: <s54fdt$21t$1@gioia.aioe.org>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
 by: S.K.R. de Jong - Tue, 13 Apr 2021 16:04 UTC

On Tue, 13 Apr 2021 04:21:24 +0000, William Unruh wrote:

> Change the port on which sshd listens. (in /etc/ssh/sshd_config) and
> then on your various machines that you log into your machine from place
>
> place Host donald.duck.com # Or whatever the name of your machine is
> Port 12345 # Or whatever port you told your sshd to listen on
>
> Then ssh will use that port instead of 22 and your attackers will all be
> switched off. Of course if you try to log in via ssh from some other
> machine where you have not installed that stuff into ssh_config, you
> will have to remember that port number ssh -P12345 donald.duck.com

Thanks. I am not bothered by such attacks on port 22 - I have
defenses in place so that attackers are blocked for a few days after a
few attempts. I am just curious as to why their frequency has decreased
so dramatically in the last few weeks - as others point out, it may well
be because of my change of ISP.

Re: SSH brute force breakin attempts

<s54fmi$21t$2@gioia.aioe.org>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=339&group=comp.security.ssh#339

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 16:08:51 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 23
Message-ID: <s54fmi$21t$2@gioia.aioe.org>
References: <s52ntt$1tkb$1@gioia.aioe.org>
<pfvfkh-seik1.ln1@esprimo.zbmc.eu>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
 by: S.K.R. de Jong - Tue, 13 Apr 2021 16:08 UTC

On Tue, 13 Apr 2021 08:57:13 +0100, Chris Green wrote:

> S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
>> I have a system with an SSH server accessible from the
>> Internet.
>> For the last few years, I have been monitoring a steady flow of brute
>> force breakin attempts, at an average rate of at least one attempt per
>> minute, significantly more during peak hours.
>>
> These aren't really 'brute force' attempts surely? A brute force
> attempt is one that sequences through every possible password
> combination sequentially, often starting with shorter ones and moving on
> to longer ones until a match is obtained. A brute force attempt to
> break a password depends on having fast and unlimited access to the
> encoded string you're attempting to guess.
>
> What you're seeing I would call 'opportunistic' attempts where the
> attacker tries the obvious default passwords like 'passw0rd', 'abcdefgh'
> and so on. If they're attacking an ssh login they're only going to get
> two or three tries before the delays become very long indeed.

That's right - they keep trying typical user names. I have
password authentication disabled for hosts outside my network.

Re: SSH brute force breakin attempts

<s54foj$775$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=340&group=comp.security.ssh#340

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a672.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 18:09:55 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s54foj$775$1@news1.tnib.de>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu> <s53rpg$sbu$1@news1.tnib.de> <0n9gkh-m77l1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 13 Apr 2021 16:09:56 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a672.versanet.de:92.116.166.114";
logging-data="7397"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Tue, 13 Apr 2021 16:09 UTC

Chris Green <cl@isbd.net> wrote:
>Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
>> Chris Green <cl@isbd.net> wrote:
>> >If they're attacking an ssh login they're only
>> >going to get two or three tries before the delays become very long
>> >indeed.
>>
>> Why? Has sshd implemented such a scheme lately? Or do you assume that
>> everybody is using fail2ban or a network rate limit mechanism?
>>
>Well all my ssh logins, by default (i.e. as installed xubuntu systems),
>have a several second delay after even the first failed login and I
>think it gets longer after further failures.

man sshd_config doesn't list such an option.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: SSH brute force breakin attempts

<s54gea$frn$1@dont-email.me>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=341&group=comp.security.ssh#341

 copy link   Newsgroups: comp.security.ssh
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 16:21:30 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 26
Message-ID: <s54gea$frn$1@dont-email.me>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
<s54fdt$21t$1@gioia.aioe.org>
Injection-Date: Tue, 13 Apr 2021 16:21:30 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e44dbafca45e9aac42dd9c6bef2eb30b";
logging-data="16247"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18JH0TWss535UQ5ifGshjzg"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:jlNt0D6I+lmbZTeCbsC58S1naHM=
 by: William Unruh - Tue, 13 Apr 2021 16:21 UTC

On 2021-04-13, S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
> On Tue, 13 Apr 2021 04:21:24 +0000, William Unruh wrote:
>
>> Change the port on which sshd listens. (in /etc/ssh/sshd_config) and
>> then on your various machines that you log into your machine from place
>>
>> place Host donald.duck.com # Or whatever the name of your machine is
>> Port 12345 # Or whatever port you told your sshd to listen on
>>
>> Then ssh will use that port instead of 22 and your attackers will all be
>> switched off. Of course if you try to log in via ssh from some other
>> machine where you have not installed that stuff into ssh_config, you
>> will have to remember that port number ssh -P12345 donald.duck.com
>
> Thanks. I am not bothered by such attacks on port 22 - I have
> defenses in place so that attackers are blocked for a few days after a
> few attempts. I am just curious as to why their frequency has decreased
> so dramatically in the last few weeks - as others point out, it may well
> be because of my change of ISP.

The probabiliity of an attack succeeding is directly proportional to
the number of attempts they make. 0 attempts means 0 probability, no
matter what other defenses you have. It is called defense in depth. Like
the Challenger disaster-- it is when you assume that a defense line is
irrelevant, since there are other defenses, that disasters happen.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor