Currently playing: Disintegration by The Cure.
Alex' 32 top ssh bruteforce muppets is now Alex' 34 top ssh bruteforce muppets - with a brand new entry at number two (210.97.53.129) with 927 connection attempts. Last week's number one, two and three are unchanged leaving me to believe this activity really does take place from disposable machines.
I have been running statistics of attempted password logins to miracle for a few weeks now. Password authentication is not allowed in my sshd, so rather than looking for invalid usernames in the log, I look for password authentication attempts and count them. So far I have only seen 32 unique IP addresses. The top connecter (208.53.131.123 - dshield knows about this one) has been seen 2823 times, with a sharp drop down to number two (211.50.32.30) seen 577 times and then another sharp drop down to third place with 321 connections.
345 unique usernames have been attempted with root being attempted most often (3375 attempts), then a sharp drop down to the usernames test, adm and admin with 89, 84 and 67 attempts respectively. Most of these usernames are regular people first names, not commonly found on UNIX systems. I think this entire ssh bruteforce nonsense is what you call a stab in the dark.
I encountered a brand new muppet of a spectacular sort in dk.edb.sikkerhed yesterday. I have never seen him around before. I have no idea who he is, what his skills are, nor what he has ever done (according to Google: nothing). Even though he cannot articulate reasons for the security decisions he is advocating, he sure knows everything about me and how rude I am to everyone and how much I am in need of professional help. If you can read Danish and want a chuckle, find the only post in Google Groups archives with the word slagterkone in it and start at the beginning of that thread.
The Spirited One read one of the first posts in that thread and was a little disappointed to find me taking parts in such pointless discussions - but I am allowed to be bad sometimes, I think.
01:18 <dogs> hobnobs -- truly the food of kings 01:19 <madboar> nah. toast innit. 01:20 <reverse> Chocolate. 01:20 <dogs> chocolate hobnobs on toast! 01:20 <reverse> with lasers! 01:21 <dogs> and duck butter!
Be afraid. Be very afraid.
I am more than a little amused because Michael Howard usually likes to point out security flaws in 'linux software'. He doesn't mention the stupid ass feature/bug in Media Player that let attackers use Microsoft's Digital Rights Management function to install malware on clients nor the countless unpatched bugs in IE that are actively being exploited.
I am disappointed with undeadly's article, posted on 31 Dec, on the recent sshd brute force attempts. I am with djm@ on this one. Decent passwords cannot feasibly be remotely brute forced via SSH. If you allow password authentication and you allow your users to pick bad passwords, you need to go to bed earlier. If you have any security reasons to act on this ssh traffic, you are doing something incredibly wrong. The only reason you should do anything about this is if the log messages bother you.
You know that IDS you have running that looks for attacks from network-based worms and adds the IP address to a database in case you ever need a disposable host with known security problems? Include the source addresses of these attacks in your database.
I am not an alcoholic. I don't go to meetings, motherfucker! -- some guy on NovaStream.
This is almost a perfect repeat of last year: Spent some quiet time with her last night. Talked, ate and so on.
No Darwin awards were awarded last night.