View Single Post
  #9   (View Single Post)  
Old 22nd May 2009
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Default

Quote:
Originally Posted by windependence View Post
Welcome to the world of the internet. Like has been stated, all this is just "noise". They have no target specifically, they are just looking for weak security to exploit.
I never really figured they had any particular target, I was just curious as to how they found my system. I figure they could bump into my system one of two ways:

Crawling through the web, using some sort of bot system to check every host they can find for open ssh ports to try. I would expect if this was the case that the attempts would come by "ssh myobscurehostname.youwontguessthis.org".

Or, crawling the internet, looking for open ssh ports on any system they can get a response from. I would expect if this was the case that the attempts would come by "ssh 123.45.67.89".

Being as my web server is likely in the bottom .001% of the internet in terms of popularity (maybe 2 or 3 unique hits per day) I figure the second is more likely. I also figure that the bot-masters are likely smart enough to know that ssh and httpd are not necessarily employed together in all cases.

Though ultimately this is just a question for my own sake. I don't expect that it would in any way help to resolve the situation.

Quote:
It does no good to try to block these as there are so many of them and a good number of these are spoofing perfectly good IP addresses so in some cases you would actually be doing yourself harm by blocking legitimate traffic.
I haven't bothered doing anything in particular to respond to these distrubuted attacks. I also view them essentially as noise. I monitor them and mine the data occasionally, but I don't do anything proactive or reactive for them beyond the obvious (no remote root login, very short list of allowed users with strong passwords, etc...)




Quote:
The best thing you can do if you want to take the load off your server is to set up a good firewall not on your server but separately so that CPU cycles are not being used to deny access. I run pfsense boxes in front of all my servers and it's a wonderful setup. Even my Windoze admins can use the easy web GUI and I can still access the box via CLI if I want to.
CPU cycles are another thing I'm not particularly concerned about on this system. As I said this webserver is just a hobby at home, serving very few pages of very little importance. Right now the only response to the distributed attempts is to let sshd reject them, and log the date, time, username attempted, and IP address.

Quote:
Don't lose any sleep over these "attacks" as they aren't directed at you per se, and as long as they aren't getting in, you'll be fine.

-Tim
Not to be arrogant, but unless they change their strategy they will never get in. So I certainly don't stay up at night worrying about this. If they developed a strategy to find valid usernames then I might be more concerned. But even when they did an A-Z "phone book" style attack they did not once hit on a valid user name. And their earlier dictionary attempts on root of course failed for reasons described above.

So to reiterate, I'm not worried right now. I'm just curious as to how they found my system to begin with. I know that of course people have scanned the internet for open ports for years (a win2k box I had with cygwin sshd was once found in less than a half hour), so that is what I figure the most likely way that my server was found.
Reply With Quote