Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

The reason computer chips are so small is computers don't eat much.


computers / comp.security.ssh / SSH brute force breakin attempts

SubjectAuthor
* SSH brute force breakin attemptsS.K.R. de Jong
+* Re: SSH brute force breakin attemptsWilliam Unruh
|`* Re: SSH brute force breakin attemptsS.K.R. de Jong
| `* Re: SSH brute force breakin attemptsWilliam Unruh
|  `* Re: SSH brute force breakin attemptsS.K.R. de Jong
|   `- Re: SSH brute force breakin attemptsWilliam Unruh
+- Re: SSH brute force breakin attemptsMarc Haber
+* Re: SSH brute force breakin attemptsChris Green
|+* Re: SSH brute force breakin attemptsMarc Haber
||+* Re: SSH brute force breakin attemptsChris Green
|||`- Re: SSH brute force breakin attemptsMarc Haber
||`- Re: SSH brute force breakin attemptsChris Green
|`- Re: SSH brute force breakin attemptsS.K.R. de Jong
`- Re: SSH brute force breakin attemptsDoug McIntyre

1
Subject: SSH brute force breakin attempts
From: S.K.R. de Jong
Newsgroups: comp.security.ssh
Organization: Aioe.org NNTP Server
Date: Tue, 13 Apr 2021 00:17 UTC
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 00:17:01 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 25
Message-ID: <s52ntt$1tkb$1@gioia.aioe.org>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
View all headers
I have a system with an SSH server accessible from the Internet.
For the last few years, I have been monitoring a steady flow of brute
force breakin attempts, at an average rate of at least one attempt per
minute, significantly more during peak hours.

Remarkably, starting a few weeks ago, this rate has fallen
dramatically, to less than one per hour, even during those times of the
day when I would usually register several attempts per minute.

Have you guys noticed something similar in your logs? I am
curious because this decrease more or less has coincided with a change of
ISP on my side, which implies that the Internet-visible static IP address
that my SSH daemon is listening at has changed. The actual domain name is
the same though.

I just wonder whether it is the case that would-be crackers are
scanning static IP addresses pools corresponding to some ISPs, while
leaving other ISPs more or less alone, perhaps because they are not quite
as well-known - my previous ISP has a much higher profile than my new
one, although the service from the new one is (so far) just as reliable,
while being much faster and cheaper.

Anyway, I would appreciate it if you guys could share your
experiences on these issues.



Subject: Re: SSH brute force breakin attempts
From: William Unruh
Newsgroups: comp.security.ssh
Organization: A noiseless patient Spider
Date: Tue, 13 Apr 2021 04:21 UTC
References: 1
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 04:21:24 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 41
Message-ID: <s53683$tg3$1@dont-email.me>
References: <s52ntt$1tkb$1@gioia.aioe.org>
Injection-Date: Tue, 13 Apr 2021 04:21:24 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e44dbafca45e9aac42dd9c6bef2eb30b";
logging-data="30211"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18Jr6lHpVpn1HVIRSpeFk0m"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:tvm2ZJNk1n2GAmoWMjjjgi3wVc0=
View all headers
On 2021-04-13, S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
I have a system with an SSH server accessible from the Internet.
For the last few years, I have been monitoring a steady flow of brute
force breakin attempts, at an average rate of at least one attempt per
minute, significantly more during peak hours.

Remarkably, starting a few weeks ago, this rate has fallen
dramatically, to less than one per hour, even during those times of the
day when I would usually register several attempts per minute.

Have you guys noticed something similar in your logs? I am
curious because this decrease more or less has coincided with a change of
ISP on my side, which implies that the Internet-visible static IP address
that my SSH daemon is listening at has changed. The actual domain name is
the same though.

I just wonder whether it is the case that would-be crackers are
scanning static IP addresses pools corresponding to some ISPs, while
leaving other ISPs more or less alone, perhaps because they are not quite
as well-known - my previous ISP has a much higher profile than my new
one, although the service from the new one is (so far) just as reliable,
while being much faster and cheaper.

Anyway, I would appreciate it if you guys could share your
experiences on these issues.

Change the port on which sshd listens. (in /etc/ssh/sshd_config) and
then on your various machines that you log into your machine from place

place
Host donald.duck.com  # Or whatever the name of your machine is
Port 12345   # Or whatever port you told your sshd to listen on

Then ssh will use that port instead of 22 and your attackers will all be
switched off. Of course if you try to log in via ssh from some other
machine where you have not installed that stuff into ssh_config, you
will have to remember that port number
ssh -P12345 donald.duck.com





Subject: Re: SSH brute force breakin attempts
From: Marc Haber
Newsgroups: comp.security.ssh
Organization: private site, see http://www.zugschlus.de/ for details
Date: Tue, 13 Apr 2021 07:27 UTC
References: 1
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a672.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 09:27:07 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s53h4b$92u$1@news1.tnib.de>
References: <s52ntt$1tkb$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 13 Apr 2021 07:27:07 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a672.versanet.de:92.116.166.114";
logging-data="9310"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
View all headers
"S.K.R. de Jong" <SKRdJ@nowhere.net> wrote:
I have a system with an SSH server accessible from the Internet.
For the last few years, I have been monitoring a steady flow of brute
force breakin attempts, at an average rate of at least one attempt per
minute, significantly more during peak hours.

Remarkably, starting a few weeks ago, this rate has fallen
dramatically, to less than one per hour, even during those times of the
day when I would usually register several attempts per minute.

Have you guys noticed something similar in your logs? I am
curious because this decrease more or less has coincided with a change of
ISP on my side, which implies that the Internet-visible static IP address
that my SSH daemon is listening at has changed. The actual domain name is
the same though.

The frequency of those brute-force attacks varies dramatically by
target network. I have servers in various hosting networks and some of
those get tenfold the amount of ssh probes than others. So, it is just
different characteristics of background noise in different parts of
the Internet.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


Subject: Re: SSH brute force breakin attempts
From: Chris Green
Newsgroups: comp.security.ssh
Date: Tue, 13 Apr 2021 07:57 UTC
References: 1
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 08:57:13 +0100
Lines: 22
Message-ID: <pfvfkh-seik1.ln1@esprimo.zbmc.eu>
References: <s52ntt$1tkb$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net 2Xhcb/AKqg40UQBeUsi59Qd4nEsmvm1nKO5WXhlBTz1PyhZL4=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:XZeySzi270lbzKUi8nq7Bp96eMM=
User-Agent: tin/2.4.5-20200522 ("Millburn") (Linux/5.8.0-48-generic (x86_64))
View all headers
S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
        I have a system with an SSH server accessible from the Internet.
For the last few years, I have been monitoring a steady flow of brute
force breakin attempts, at an average rate of at least one attempt per
minute, significantly more during peak hours.

These aren't really 'brute force' attempts surely?  A brute force
attempt is one that sequences through every possible password
combination sequentially, often starting with shorter ones and moving
on to longer ones until a match is obtained.  A brute force attempt to
break a password depends on having fast and unlimited access to the
encoded string you're attempting to guess.

What you're seeing I would call 'opportunistic' attempts where the
attacker tries the obvious default passwords like 'passw0rd',
'abcdefgh' and so on.  If they're attacking an ssh login they're only
going to get two or three tries before the delays become very long
indeed.

--
Chris Green
·


Subject: Re: SSH brute force breakin attempts
From: Marc Haber
Newsgroups: comp.security.ssh
Organization: private site, see http://www.zugschlus.de/ for details
Date: Tue, 13 Apr 2021 10:29 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a672.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 12:29:04 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s53rpg$sbu$1@news1.tnib.de>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 13 Apr 2021 10:29:04 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a672.versanet.de:92.116.166.114";
logging-data="29054"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
View all headers
Chris Green <cl@isbd.net> wrote:
If they're attacking an ssh login they're only
going to get two or three tries before the delays become very long
indeed.

Why? Has sshd implemented such a scheme lately? Or do you assume that
everybody is using fail2ban or a network rate limit mechanism?

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


Subject: Re: SSH brute force breakin attempts
From: Chris Green
Newsgroups: comp.security.ssh
Date: Tue, 13 Apr 2021 10:51 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 11:51:44 +0100
Lines: 22
Message-ID: <0n9gkh-m77l1.ln1@esprimo.zbmc.eu>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu> <s53rpg$sbu$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net BUv3Ys3Uo8wYbde3FXtHEQDM19S2fsfJ28pQMc41ggH4f/x/o=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:9a5qQuM1c4Mz7+ialPXOyz070DY=
User-Agent: tin/2.4.5-20200522 ("Millburn") (Linux/5.8.0-48-generic (x86_64))
View all headers
Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
Chris Green <cl@isbd.net> wrote:
If they're attacking an ssh login they're only
going to get two or three tries before the delays become very long
indeed.

Why? Has sshd implemented such a scheme lately? Or do you assume that
everybody is using fail2ban or a network rate limit mechanism?

Well all my ssh logins, by default (i.e. as installed xubuntu systems),
have a several second delay after even the first failed login and I
think it gets longer after further failures.  This is even for logins
across my LAN where I'm certainly not running fail2ban or anything
like that.

Even a 1 second delay would prevent any sort of brute force attack
from working, you surely need millions of attempts for it to have any
hope of success.

--
Chris Green
·


Subject: Re: SSH brute force breakin attempts
From: S.K.R. de Jong
Newsgroups: comp.security.ssh
Organization: Aioe.org NNTP Server
Date: Tue, 13 Apr 2021 16:04 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 16:04:13 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 18
Message-ID: <s54fdt$21t$1@gioia.aioe.org>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
View all headers
On Tue, 13 Apr 2021 04:21:24 +0000, William Unruh wrote:

Change the port on which sshd listens. (in /etc/ssh/sshd_config) and
then on your various machines that you log into your machine from place

place Host donald.duck.com  # Or whatever the name of your machine is
Port 12345   # Or whatever port you told your sshd to listen on

Then ssh will use that port instead of 22 and your attackers will all be
switched off. Of course if you try to log in via ssh from some other
machine where you have not installed that stuff into ssh_config, you
will have to remember that port number ssh -P12345 donald.duck.com

Thanks. I am not bothered by such attacks on port 22 - I have
defenses in place so that attackers are blocked for a few days after a
few attempts. I am just curious as to why their frequency has decreased
so dramatically in the last few weeks - as others point out, it may well
be because of my change of ISP.


Subject: Re: SSH brute force breakin attempts
From: S.K.R. de Jong
Newsgroups: comp.security.ssh
Organization: Aioe.org NNTP Server
Date: Tue, 13 Apr 2021 16:08 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 16:08:51 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 23
Message-ID: <s54fmi$21t$2@gioia.aioe.org>
References: <s52ntt$1tkb$1@gioia.aioe.org>
<pfvfkh-seik1.ln1@esprimo.zbmc.eu>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
View all headers
On Tue, 13 Apr 2021 08:57:13 +0100, Chris Green wrote:

S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
        I have a system with an SSH server accessible from the
        Internet.
For the last few years, I have been monitoring a steady flow of brute
force breakin attempts, at an average rate of at least one attempt per
minute, significantly more during peak hours.

These aren't really 'brute force' attempts surely?  A brute force
attempt is one that sequences through every possible password
combination sequentially, often starting with shorter ones and moving on
to longer ones until a match is obtained.  A brute force attempt to
break a password depends on having fast and unlimited access to the
encoded string you're attempting to guess.

What you're seeing I would call 'opportunistic' attempts where the
attacker tries the obvious default passwords like 'passw0rd', 'abcdefgh'
and so on.  If they're attacking an ssh login they're only going to get
two or three tries before the delays become very long indeed.

That's right - they keep trying typical user names. I have
password authentication disabled for hosts outside my network.


Subject: Re: SSH brute force breakin attempts
From: Marc Haber
Newsgroups: comp.security.ssh
Organization: private site, see http://www.zugschlus.de/ for details
Date: Tue, 13 Apr 2021 16:09 UTC
References: 1 2 3 4
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a672.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 18:09:55 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s54foj$775$1@news1.tnib.de>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu> <s53rpg$sbu$1@news1.tnib.de> <0n9gkh-m77l1.ln1@esprimo.zbmc.eu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 13 Apr 2021 16:09:56 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a672.versanet.de:92.116.166.114";
logging-data="7397"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
View all headers
Chris Green <cl@isbd.net> wrote:
Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
Chris Green <cl@isbd.net> wrote:
If they're attacking an ssh login they're only
going to get two or three tries before the delays become very long
indeed.

Why? Has sshd implemented such a scheme lately? Or do you assume that
everybody is using fail2ban or a network rate limit mechanism?

Well all my ssh logins, by default (i.e. as installed xubuntu systems),
have a several second delay after even the first failed login and I
think it gets longer after further failures.

man sshd_config doesn't list such an option.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


Subject: Re: SSH brute force breakin attempts
From: William Unruh
Newsgroups: comp.security.ssh
Organization: A noiseless patient Spider
Date: Tue, 13 Apr 2021 16:21 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 16:21:30 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 26
Message-ID: <s54gea$frn$1@dont-email.me>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
<s54fdt$21t$1@gioia.aioe.org>
Injection-Date: Tue, 13 Apr 2021 16:21:30 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e44dbafca45e9aac42dd9c6bef2eb30b";
logging-data="16247"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18JH0TWss535UQ5ifGshjzg"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:jlNt0D6I+lmbZTeCbsC58S1naHM=
View all headers
On 2021-04-13, S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
On Tue, 13 Apr 2021 04:21:24 +0000, William Unruh wrote:

Change the port on which sshd listens. (in /etc/ssh/sshd_config) and
then on your various machines that you log into your machine from place

place Host donald.duck.com  # Or whatever the name of your machine is
Port 12345   # Or whatever port you told your sshd to listen on

Then ssh will use that port instead of 22 and your attackers will all be
switched off. Of course if you try to log in via ssh from some other
machine where you have not installed that stuff into ssh_config, you
will have to remember that port number ssh -P12345 donald.duck.com

Thanks. I am not bothered by such attacks on port 22 - I have
defenses in place so that attackers are blocked for a few days after a
few attempts. I am just curious as to why their frequency has decreased
so dramatically in the last few weeks - as others point out, it may well
be because of my change of ISP.

The probabiliity  of an attack succeeding is directly proportional to
the number of attempts they make. 0 attempts means 0 probability, no
matter what other defenses you have. It is called defense in depth. Like
the Challenger disaster-- it is when you assume that a defense line is
irrelevant, since there are other defenses, that disasters happen.



Subject: Re: SSH brute force breakin attempts
From: S.K.R. de Jong
Newsgroups: comp.security.ssh
Organization: Aioe.org NNTP Server
Date: Tue, 13 Apr 2021 17:11 UTC
References: 1 2 3 4
Path: i2pn2.org!i2pn.org!aioe.org!BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org.POSTED!not-for-mail
From: SKR...@nowhere.net (S.K.R. de Jong)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 17:11:42 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 11
Message-ID: <s54jce$5vo$1@gioia.aioe.org>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
<s54fdt$21t$1@gioia.aioe.org> <s54gea$frn$1@dont-email.me>
NNTP-Posting-Host: BD+U8xDngs5TAdeis7Ezdg.user.gioia.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
git://git.gnome.org/pan2)
X-Notice: Filtered by postfilter v. 0.9.2
View all headers
On Tue, 13 Apr 2021 16:21:30 +0000, William Unruh wrote:

The probabiliity  of an attack succeeding is directly proportional to
the number of attempts they make. 0 attempts means 0 probability, no
matter what other defenses you have. It is called defense in depth. Like
the Challenger disaster-- it is when you assume that a defense line is
irrelevant, since there are other defenses, that disasters happen.

True. I am not too concerned though, all the more so because I
don't allow password authentication from hosts in the Internet.



Subject: Re: SSH brute force breakin attempts
From: William Unruh
Newsgroups: comp.security.ssh
Organization: A noiseless patient Spider
Date: Tue, 13 Apr 2021 19:24 UTC
References: 1 2 3 4 5
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 19:24:34 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 21
Message-ID: <s54r5i$817$1@dont-email.me>
References: <s52ntt$1tkb$1@gioia.aioe.org> <s53683$tg3$1@dont-email.me>
<s54fdt$21t$1@gioia.aioe.org> <s54gea$frn$1@dont-email.me>
<s54jce$5vo$1@gioia.aioe.org>
Injection-Date: Tue, 13 Apr 2021 19:24:34 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e44dbafca45e9aac42dd9c6bef2eb30b";
logging-data="8231"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Fr/0Y7REj60io7xk17taj"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:XQ+Ett0tEOvRNeek7HNzvWWN5Hw=
View all headers
On 2021-04-13, S.K.R. de Jong <SKRdJ@nowhere.net> wrote:
On Tue, 13 Apr 2021 16:21:30 +0000, William Unruh wrote:

The probabiliity  of an attack succeeding is directly proportional to
the number of attempts they make. 0 attempts means 0 probability, no
matter what other defenses you have. It is called defense in depth. Like
the Challenger disaster-- it is when you assume that a defense line is
irrelevant, since there are other defenses, that disasters happen.

True. I am not too concerned though, all the more so because I
don't allow password authentication from hosts in the Internet.

Good idea. However, this means that the external call actually runs the
sshd daemon, which is what then decides that what it receives is an
password based request, and looks up to check that this is actually
coming from the internet. Ie, there is an opening for some bugs in sshd
to rear their ugly head and allow a niche for the remote attacker to get
in. If however, the system never actually delivers the attempt to sshd
at all, because it is coming in on a port where sshd is not listening,
then the holes in sshd are irrelevant.



Subject: Re: SSH brute force breakin attempts
From: Chris Green
Newsgroups: comp.security.ssh
Date: Tue, 13 Apr 2021 21:03 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: cl...@isbd.net (Chris Green)
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
Date: Tue, 13 Apr 2021 22:03:20 +0100
Lines: 16
Message-ID: <ohdhkh-87un1.ln1@esprimo.zbmc.eu>
References: <s52ntt$1tkb$1@gioia.aioe.org> <pfvfkh-seik1.ln1@esprimo.zbmc.eu> <s53rpg$sbu$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Trace: individual.net V/sPXPyhi9f5auj3E0/rAA7CBG957ReWaehaHiNe+UwFNHtjA=
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:xsY12VCdX/JxrRvCPmBQTLqFR3g=
User-Agent: tin/2.4.5-20200522 ("Millburn") (Linux/5.8.0-48-generic (x86_64))
View all headers
Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
Chris Green <cl@isbd.net> wrote:
If they're attacking an ssh login they're only
going to get two or three tries before the delays become very long
indeed.

Why? Has sshd implemented such a scheme lately? Or do you assume that
everybody is using fail2ban or a network rate limit mechanism?

On [x]ubuntu systems there is a default failed login delay of a couple
of seconds, so it's no ssh specifically but it's there alright.  I'm
not sure if other distributions do the same.

--
Chris Green
·


Subject: Re: SSH brute force breakin attempts
From: Doug McIntyre
Newsgroups: comp.security.ssh
Date: Fri, 16 Apr 2021 19:24 UTC
References: 1
Path: i2pn2.org!i2pn.org!news.swapon.de!2.eu.feeder.erje.net!feeder.erje.net!feeder1.feed.usenet.farm!feed.usenet.farm!tr3.eu1.usenetexpress.com!feeder.usenetexpress.com!tr3.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!buffer1.nntp.dca1.giganews.com!buffer2.nntp.dca1.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Fri, 16 Apr 2021 14:24:19 -0500
Newsgroups: comp.security.ssh
Subject: Re: SSH brute force breakin attempts
References: <s52ntt$1tkb$1@gioia.aioe.org>
From: mer...@dork.geeks.org (Doug McIntyre)
User-Agent: nn/6.7.3
Message-ID: <H-2dnadl0_P-eeT9nZ2dnUU7-cudnZ2d@giganews.com>
Date: Fri, 16 Apr 2021 14:24:19 -0500
Lines: 24
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-cWLpBY9prsqD/bWdYLxm31X6hqcOP6gyhgxXxYzBLVuBIedaWgyzl+JTriwf6E6JBWyy8VzMMYvhI+p!QiMBWhD50+Lya13dI4QQni8yxbfysL7vT0t7AXcKkRVKNwbCiEFh1gR0LqN4rmgI8MHc51lOJ7Yr!Lg==
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 1812
View all headers
"S.K.R. de Jong" <SKRdJ@nowhere.net> writes:
Have you guys noticed something similar in your logs? I am
curious because this decrease more or less has coincided with a change of
ISP on my side, which implies that the Internet-visible static IP address
that my SSH daemon is listening at has changed. The actual domain name is
the same though.

Different IP ranges get scanned at different rates.

If there is something up and longstanding, it gets probed more than
space that had been empty for months/years before you occupying it,
which gets probed less because there was nothing there before.

Also, I think all the "white-hats" scanning IP space (ie. think Shodan),
probably far outnumber the crackers scanning IP space.

So many people trying to look out for you, eating up your network
bandwidth.

Sigh.

--
Doug McIntyre
doug@themcintyres.us


1
rocksolid light 0.7.2
clearneti2ptor