Tuesday, August 23rd, 2005
How to see if someone is trying to guess your ssh passwords
Tipped off by this Mac OS X hint I went looking to see if anyone might be trying to break into my computer via scripted ssh login/password guessing attacks. After reading some of the comments on macosxhints and doing some digging, I figured out a nice way to check for attacks by using grep to search the system.log files.
zgrep 'Illegal' /private/var/log/system*
zgrep (a variant of grep) searches the archived log files in
addition to the current ones. On my system, this produced a long list
of breakin attempts that look like they are coming from an automated
script running through user names.
I’m not sure if disabling the ssh password, as the hint suggests, is the best idea to counter this attack (and, I admit, I’m too lazy to setup the crypto keys thing for now).
For my own home computer, I thought it would be better to only allow
login for myself and keep my password very strong. To accomplish that, I
edited the cooresponding settings in /etc/sshd_config to to the
following:
# Enable only SSH2 protocol (not the less secure SSH1)
Protocol 2
# Don't allow any remote root login
PermitRootLogin no
# Make sure only a particular user (dorkuser) can SSH
AllowUsers dorkuser
That’s it! Much more secure. dorkuser is, of course, not my real
username.
For fun, here’s a look at a processed (minus IPs and my user name) snippet from the log:
08:38 sshd: Illegal user wwwrun
08:40 sshd: Illegal user wwwrun
08:42 sshd: Illegal user wwwrun
08:44 sshd: Illegal user wwwrun
08:46 sshd: Illegal user wyoming
08:48 sshd: Illegal user wyoming
08:50 sshd: Illegal user wyoming
08:52 sshd: Illegal user 0002593w
08:54 sshd: Illegal user 001
08:56 sshd: Illegal user 1
08:58 sshd: Illegal user 123
09:00 sshd: Illegal user 1234
09:02 sshd: Illegal user 127
09:04 sshd: Illegal user 16
09:06 sshd: Illegal user 1a4
09:08 sshd: Illegal user 1dd
09:10 sshd: Illegal user 22b
09:12 sshd: Illegal user 2a
09:14 sshd: Illegal user 3e
09:16 sshd: Illegal user 4ct
09:18 sshd: Illegal user 511
09:20 sshd: Illegal user 561
09:22 sshd: Illegal user 587
09:24 sshd: Illegal user 72
09:26 sshd: Illegal user 75
09:28 sshd: Illegal user 9ia
09:30 sshd: Illegal user a
09:32 sshd: Illegal user a
09:34 sshd: Illegal user a_kirchner
09:36 sshd: Illegal user a1775b
09:38 sshd: Illegal user a4
09:40 sshd: Illegal user aaaa
09:42 sshd: Illegal user aabraham
09:44 sshd: Illegal user aadriano
09:46 sshd: Illegal user aaghie
09:48 sshd: Illegal user aagt
09:50 sshd: Illegal user aahie
09:52 sshd: Illegal user Aaliyah
09:55 sshd: Illegal user aaltje
09:57 sshd: Illegal user aandjstructural
09:59 sshd: Illegal user aando
10:01 sshd: Illegal user Aaron
10:03 sshd: Illegal user aaron
10:05 sshd: Illegal user aaron2
10:07 sshd: Illegal user aart
10:09 sshd: Illegal user aatef
10:14 sshd: Illegal user aba
10:16 sshd: Illegal user aba
10:18 sshd: Illegal user Aba
10:20 sshd: Illegal user abaintelkam
10:22 sshd: Illegal user abawah
10:24 sshd: Illegal user abby
10:26 sshd: Illegal user abc
10:28 sshd: Illegal user abculp
10:30 sshd: Illegal user abe
