> ... > > I do see more brute force attempts @ ssh these days and start > > wondering how much longer some script kiddie needs to make > > the algortihm a bit more clever (and eg attack user names on > > certain hosts which are likely to exist. This could be > > harvested eg from email addresses...). > > If you do some Googling, you will no doubt find the info on this in some > security forums that I found when it first started on Port 22 a few months > ago. A couple of people seet up "honey pots" and waited and watched... the > result was that after one of the scripted attacks detects a well known > account / password combination, the attack changes fromn being scripted to > manual and a "root kit" is installed. The attackers were not good at > covering their tracks in terms of command history, so that is what gave it > away as a manual as opposed to a scripted attack. Here's a list of hack > source addresses that I've recorded over a period of two months:- > > SSH Hack source addresses > ... These will change at least somewhat, of course. > I checked one the other day and the IP was owned by a Korean University. This is part of the reason why. The guys that are not smart enough to spoof the IP when they try to climb in are usually on DHCP, or at a netcafe, or at a school where they are more than half likely to get kicked out. So the suggestion of a temporary blacklist is probably the best. I might even set it shorter than two days, myself. -- Joel <rees@xxxxxxxxxxx>
