Linux Today: Linux News On Internet Time.

More on LinuxToday

Security: A Low Intensity, Distributed Bruteforce Attempt

Dec 02, 2008, 23:31 (2 Talkback[s])
(Other stories by Peter N. M. Hansteen)

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

[ Thanks to Peter N. M. Hansteen for this link. ]

"Phase 1: “That's odd..." During the last few weeks, I noticed an anomaly in the authentication logs on one of my listening posts. There were a larger than usual number of ssh login attempts overall, a higher than usual number of attempts for non-existent user names as well as some failures for a few that actually exist as well...

"Phase 2: Not your run of the mill screwup, the data say Repeated login attempts for non-existing users are nothing new (in fact the bruteforce avoidance section is one of the more popular parts of the PF tutorial), but I was a bit surprised to see the attempts actually reaching this machine, which is on a local network behind a PF gateway with a configuration that is in fact closely related to the one in the tutorial (and the book for that matter). Then looking at the log entries, I noticed a few more things: The attempts are never less than a minute apart, and the attempts from a single host are separated by much long intervals. The full data set I extracted from the point I started noticing those anomalies sum up to these figures can be found here, in case you want to look at it and draw you own conclusions."

Complete Story

Related Stories: