lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: libove-fulldisc at felines.org (Jay Libove)
Subject: Re: Any update on SSH brute force attempts?

Hola a Colombia, Fabio!
y Cc: al listo -

Personal aside (others read on below please),
Many years ago, my father used to travel there (and many other places in
South and Central America) on business.  My travels have been fairly wide,
but have not yet taken me to your country. Some day!


It's a good idea to instrument SSHD to log cleartext passwords for failed
login attempts.  I don't have time to write the code myself, but if
someone else has it, I'll consider using it for a while. Anyone?


Here is the list of non-existent users attempted:
account
adam
admin
alan
backup
cip51
cip52
cosmin
cyrus
data
frank
george
guest
henry
horde
iceuser
irc
jane
john
master
matt
mysql
noc
oracle
pamela
patrick
rolo
server
sybase
test
user
web
webmaster
www
www-data
wwwrun

And the few present users attempted:
adm
apache
nobody
operator
root

-Jay


On Fri, 15 Oct 2004, Fabio wrote:

> Date: Fri, 15 Oct 2004 22:01:29 -0400
> From: Fabio <fabio@...arium.com>
> To: Jay Libove <libove@...ines.org>
> Subject: Re: [Full-Disclosure] Any update on SSH brute force attempts?
>
> Would you mind to provide me the username that were tried?
>
> have you ever modify your ssh daemon to log clear text passwords?
>
>
>
> Jay Libove wrote:
>
> >A month or three back, I engaged in some conversation with others here on
> >full-disclosure about brute force login attempts several of us were seeing
> >on our SSH servers.  Brute force isn't really the right description, as
> >each account is only tried a few times (root gets about 50).  As we
> >surmised before, this still looks like an attack looking for certain known
> >ID/password combinations.
> >
> >Recently, a couple of times a week, I see repeats of this which now have
> >as many as fifty different accounts being attacked.  (Almost none of which
> >exist on my server, and none of which will have common passwords
> >thankyouverymuch).
> >
> >What are you doing/changing about your SSH configurations to reduce the
> >possibility of these attacks finding any kind of hole in the OpenSSH
> >software (that's what I run, so that's the only version I'm particularly
> >concerned about) ?  Are you doing anything at all?
> >
> >Thanks
> >-Jay


Powered by blists - more mailing lists