[geeks] ssh attacks

Ido Dubrawsky idubraws at dubrawsky.org
Wed Aug 11 20:38:24 CDT 2004 

On Wed, Aug 11, 2004 at 12:09:06PM -0500, geeks-request at sunhelp.org wrote:
> Date: Wed, 11 Aug 2004 10:05:36 -0700 (MST)
> From: Gary Nichols <gary at linuxforce.org>
> Subject: Re: [geeks] ssh attacks
> To: The Geeks List <geeks at sunhelp.org>
> Message-ID:
> 	<Pine.LNX.4.56L0.0408111004020.9005 at hosting2.blondetribe.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> On Wed, 11 Aug 2004, Kevin wrote:
> 
> > Lately, i've been getting several ssh login attempts to accounts
> > user, admin and test.  Mostly from European and Asian countries.
> > 
> > Is there some type of automated worm out there trying to exploit
> > an ssh vulnerability?
> > 
> > Anyone else getting this crap?
> 
> I've been tracking this thing for weeks.  It's an automated probe tool 
> using known accounts.  I have some leads on the motive, but nothing 
> concrete enough that I'm going to mention here.
> 
> I *really* recommend that you move ssh to another port.  You'll take 
> yourself off the radar for 99% of the tools out there, unless they REALLY 
> want YOUR box.
> 
So my log files have been showing only the following: 

Aug  8 23:44:20 elrond sshd[2355]: [ID 800047 auth.error] error: Could not get s
hadow information for NOUSER
Aug  8 23:44:22 elrond sshd[2357]: [ID 800047 auth.error] error: Could not get s
hadow information for NOUSER

on one box (running Solaris 9 MU4, OpenSSH 3.8.1p1).  The other two boxes (one
is Solaris 9 MU4 as well and the other is RedHat Linux 6.0 trimmed down to the
bare bone and locked down...it's a really old box that I need to reinstall 
with OpenBSD...but that's another story :-) ) that have SSH accessible from the 
outside world only accept RSA/DSA private keys as authentication methods so I 
haven't seen those show up in the logs because the connection is dropped as 
soon as the SSH server determines that the other side doesn't have the private 
RSA/DSA key.  I'm a big believer in PKI when it comes to SSH..well, that and 
one-time passwords (although not the s/key implementation given its 
vulnerabilities).

Ido
-- 
===============================================================================
Ido Dubrawsky, CISSP           		E-mail:          ido at dubrawsky.org
Network Security Architect
dubrawsky.org
500 Hermleigh Rd
Silver Spring, MD. 20902
(301) 651-5441 (cell)
===============================================================================

More information about the geeks mailing list