how to react on ssh attacks?

Stephanus Fengler fengler at uiuc.edu
Mon Oct 24 12:09:21 UTC 2005


Boris Glawe wrote:

>
>>
>>
>> So shell I worry about it or do I need to do some countermeasures?
>
>
>
> Just ignore it, if your passwords are long enough and are NOT based on 
> words that can be found in dictionaries. Change the passwords from 
> time to time AND keep your sshd up to date.
>
> If I have too many root login requests (>200) and I'am able to find 
> out the attackers provider (with nslookup <ip-address>), I sometimes 
> write an abuse report to the provider.
>
> Most of these are attacks are script kiddies who are only successfull 
> in case that your password is emty or matches the username
>
> greets Boris
>
Hi Boris
Since I need the ssh service, I can't disable it. Actually counting the 
number of root pw attacks it was 540 within 28 mins after then he 
switched over to pw guessing for random usernames for another 500 times 
and 25 mins. Anyway nslookup gives:

 nslookup 81.208.32.170
Server:         134.60.1.111
Address:        134.60.1.111#53

Non-authoritative answer:
170.32.208.81.in-addr.arpa      name = 81-208-32-170.ip.fastwebnet.it.

Authoritative answers can be found from:
81.in-addr.arpa nameserver = TINNIE.ARIN.NET.
81.in-addr.arpa nameserver = NS3.NIC.FR.
81.in-addr.arpa nameserver = SEC1.APNIC.NET.
81.in-addr.arpa nameserver = SEC3.APNIC.NET.
81.in-addr.arpa nameserver = SUNIC.SUNET.SE.
81.in-addr.arpa nameserver = NS-EXT.ISC.ORG.
81.in-addr.arpa nameserver = NS-PRI.RIPE.NET.
NS3.NIC.FR      internet address = 192.134.0.49
NS3.NIC.FR      has AAAA address 2001:660:3006:1::1:1
SEC1.APNIC.NET  internet address = 202.12.29.59
SEC3.APNIC.NET  internet address = 202.12.28.140
SEC3.APNIC.NET  has AAAA address 2001:dc0:1:0:4777::140
SUNIC.SUNET.SE  internet address = 192.36.125.2
NS-PRI.RIPE.NET internet address = 193.0.0.195
NS-PRI.RIPE.NET has AAAA address 2001:610:240:0:53::3
TINNIE.ARIN.NET internet address = 69.25.34.195
TINNIE.ARIN.NET has AAAA address 2001:440:2000:1::22

I actually don't know what to do with this output.
and btw just using the ip in a webbrowser it comes up with a page from 
IBM ?!? ... wired...

greets,

fengler




More information about the fedora-list mailing list