Ongoing distributed Linux SSH dictionary attack

[Andrew Daviel <advax () TRIUMF CA>]

FYI

We are seeing a distributed-source SSH dictionary attack on multiple machines.
The sources appear to be running Linux according to P0F. This blows past our
"15 strikes sitewide and you are out" filter.

Apr 16 15:24:27 xxxx sshd[25699]: error: PAM: User not known to the underlying authentication module for illegal user 
blithe from 67.159.44.179
Apr 16 15:26:05 xxxx sshd[25706]: error: PAM: User not known to the underlying authentication module for illegal user 
blithe from 77.92.129.178
Apr 16 15:27:38 xxxx sshd[25716]: error: PAM: User not known to the underlying authentication module for illegal user 
blithe from 85.17.201.76
Apr 16 15:29:04 xxxx sshd[25726]: error: PAM: User not known to the underlying authentication module for illegal user 
blithe from 061239249180.ctinets.com
Apr 16 15:30:35 xxxx sshd[25752]: error: PAM: User not known to the underlying authentication module for illegal user 
blodwyn from 220.232.240.148
Apr 16 15:32:19 xxxx sshd[25757]: error: PAM: User not known to the underlying authentication module for illegal user 
blodwyn from 184.197.221.203-static.velocitynet.com.au

etc.

--- p0f 2.0.8 resuming operations at <Thu Apr 16 15:18:26 2009> ---
<Thu Apr 16 15:18:32 2009> 83.149.64.3:46261 - Linux 2.6 (newer, 3) (up: 382 hrs) -> xxxx (distance 15, link: 
ethernet/modem)
<Thu Apr 16 15:20:14 2009> 200.29.169.172:59119 - Linux 2.6 (newer, 2) (up: 429 hrs) -> xxxx (distance 18, link: 
ethernet/modem)
<Thu Apr 16 15:23:27 2009> 118.69.205.23:53479 - Linux 2.6, seldom 2.4 (older, 4) (up: 200 hrs) -> xxxx (distance 15, 
link: ethernet/modem)
<Thu Apr 16 15:24:27 2009> 67.159.44.179:54611 - Linux 2.6 (newer, 3) (up: 317 hrs) -> xxxx (distance 17, link: 
ethernet/modem)

etc.




--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager