[nSLUG] My sshd has been discovered... ;-)

Donald Teed dteed at artistic.ca
Mon Aug 16 09:35:42 ADT 2004


I saw news of sshd activity on another mailing list, or forum.
Obviously ssh doesn't guard against choosing bad passwords, and
perhaps some script kiddies are now doing what they once did
on telnet ports.

Here is a graph of recent activity at the ISC:

http://isc.incidents.org/port_details.php?port=22

The worst case scenario is that some zero day exploit appears.
Even if it isn't the case today, it could be the case tomorrow.

Perhaps the first question you should ask is who uses your ssh
access?  If it is only you or a handful of users you can
easily talk to, perhaps you should run it on another port.
If you have a router, open up a weird port number
and port forward to your normal ssh port.  The script kiddies
are unlikely to be scanning all ports for ssh.  This is
what I've done on some systems.

--Donald Teed


On Mon, 16 Aug 2004, David Potter wrote:

>
> It took about three years - which is an indication of the low exposure it 
> carries, but for the last month or so, my daily tripwire report is noting 
> a handful of attempts to log in as root and a couple dozen attempts to 
> log in as a variety of other users... test, admin,...
>
> I'm reluctant to stand by and let someone(s) beat on my machine without 
> mounting some sort of a response...
>
> I've thought of breaking out shell and semi-automating a response:
>
> - parsing the log,
> - looking up the ip, and
> - creating a webpage with this info that would allow me to: review and 
> click-mail log info to abuse at ip
>
> Has anyone heard of attempts to 'map' hacking activity...?
>
> david potter
>
>
>
>
>
>
>
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/cgi-bin/mailman/listinfo/nslug
>
> 
>
>
>

!DSPAM:4120aa25199349153215773!




More information about the nSLUG mailing list