Ssh break in attempt

[cgkades at gmail.com (Brett)]

I'm sure with a simple grep and awk I could pull all the user names.  
But they're in order, and fairly large.

I've implemented denyhosts, and I've changed the default ssh port.  
There were no successfull logins from that ip.

I'm still surprised at the attack from perdue.edu i would have thought  
they would have an internal firewall preventing people from doing  
things like this.

Sent from my iPhone

On Mar 11, 2010, at 7:04, Dimitrios Kapsalis <dimitrios at gmail.com>  
wrote:

> I have seen similar on my home pc as well. Running ssh on a windows  
> box so the invalid login attempts are being saved in the Event log.
>
> Any way to harvest these user names? To see what is being used by  
> the attackers, skimming through the event log it definitely looks to  
> be dictionary based.
>
>
>
> On Wed, Mar 10, 2010 at 11:22 PM, Matt Erasmus <mailinglistmatt at gmail.com 
> > wrote:
> I wouldn't worry too much about SSH brute force attempts. There are
> many many of these attacks happening daily and unless you have some
> stupid user account like "bob" with "bob123" as your password, you
> should be alright.
>
> If you really want to be a little more proactive, take a look at
> Denyhosts [1] which will help stem the tide. There are also iptables
> rules which you can use to throttle back the attacks. I'll see if I
> can dig these up for you.
>
> As for logged in users, check your last log or even
> auth.log/secure.log depending on distro. You could probably script
> something to alert you should there be a login from elsewhere. But
> honestly, once that happens it's game over. The time frame from
> successful login to complete rooting of the server is very very low.
>
> For Apache, you should be checking your access/error logs. I haven't
> had a chance to really look into this though...
>
> While I'm thinking about it, check out OSSEC [2]. Very very cool HIDS
> which runs on Linux/Windows. It'll help a lot with most of your
> issues.
>
> </0.02c>
>
> [1] http://denyhosts.sourceforge.net/
> [2] http://www.ossec.net
>
> On 11 March 2010 01:49, Brett <cgkades at gmail.com> wrote:
> > I realized I haven't checked my logs on my new server ( bad me ).  
> But
> > I figured I wouldn't find anything, it's only my personal server. I
> > checked the logs today to find thousands of login attempts. Most  
> tried
> > to brute my root password, though I don't have a root user. There  
> were
> > a bunch of user name attempts for what looked like a name dictionary
> > attack. Some were from busness static ip's and there were even some
> > from perdu.edu
> >
> > Now for my questions. What should I look for to find out if they
> > actually got in? Parse the auth log for those ip's for a successfull
> > login? I also run a web server on that machine, is there something I
> > can look for to see If they got into that? Also is there any  
> recourse
> > I have? Or should I just let it go and harden my server even more?
>
>
>
> --
> Matt
> @z0nbi
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100311/730d0f1b/attachment.htm