Hi,
within two days I received abuse complaints from my ISP that someone used my exit node to brute force ssh accounts of two different ISP. Unfortunately I am forced to block port 22 to avoid shutdown. Anyone else who suffered from such attacks these days?
Regards,
Klaus
Just received another one. Is someone doing a widespread brute force?
Hope my ISP keeps cool.
Regards,
Klaus
Am 31.12.2011 07:59, schrieb Klaus Layer:
within two days I received abuse complaints from my ISP that someone used my exit node to brute force ssh accounts of two different ISP. Unfortunately I am forced to block port 22 to avoid shutdown. Anyone else who suffered from such attacks these days?
yes, the same here. Lots of hacking complaints in Juli and August 2011.
regards Olaf
within two days I received abuse complaints from my ISP that someone used my exit node to brute force ssh accounts of two different ISP. Unfortunately I am forced to block port 22 to avoid shutdown. Anyone else who suffered from such attacks these days?
We haven't seen anything out of the ordinary. Here's the normal response we give for ssh bruit force complaints: https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates#SSHBrute...
We haven't seen anything out of the ordinary. Here's the normal response we give for ssh bruit force complaints: https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates#SSHBrute...
I take this back, just got one from a "Goran Matovinovic" this morning. I'm a little tempted to tell him to get a life, though we tend to ignore automated spam complaints like this.
This 'attack' has been going on for YEARS. Nobody's really getting shells (well some are), just dictionaried. The problem is that OpenSSH logs this by default and people freak out when they see it in their logs. It's just background noise. Real admins tune it out and use ssh keys instead.
On Sunday 01 January 2012 23:36:13 grarpamp wrote:
This 'attack' has been going on for YEARS. Nobody's really getting shells (well some are), just dictionaried. The problem is that OpenSSH logs this by default and people freak out when they see it in their logs. It's just background noise. Real admins tune it out and use ssh keys instead.
I wrote a shell script that watches the logs and shuts off all access from an address that starts guessing passwords. My Linux box (which is what you get entering on port 22) doesn't have a root password (I use sudo), so anyone who tries to guess root passwords gets nothing but the door slammed shut in his face. Others try guessing "sales", "pgsql", "tony", "newsletter", "visitor", etc.; I don't think I've ever seen any guess my real username.
cmeclax
Am 2012-01-02 12:23, schrieb cmeclax-sazri:
On Sunday 01 January 2012 23:36:13 grarpamp wrote:
This 'attack' has been going on for YEARS. Nobody's really getting shells (well some are), just dictionaried. The problem is that OpenSSH logs this by default and people freak out when they see it in their logs. It's just background noise. Real admins tune it out and use ssh keys instead.
I wrote a shell script that watches the logs and shuts off all access from an address that starts guessing passwords.
That is exactly what tools like "fail2ban" are for.
Paul
On Sat, Dec 31, 2011 at 07:59:31AM +0100, Klaus Layer wrote:
within two days I received abuse complaints from my ISP that someone used my exit node to brute force ssh accounts of two different ISP. Unfortunately I am forced to block port 22 to avoid shutdown. Anyone else who suffered from such attacks these days?
We've seen some claims of port 22 attacks, as well. I think the rate has been fairly consistent over the last several months, though.
We send our standard explanation and offer of assistance (DNSBL, suggestions of how to rate-limit, reminders that it's the server's responsibility to secure their own systems).
-andy
tor-relays@lists.torproject.org
-
Andy Isaacson -
cmeclax-sazri -
Damian Johnson -
grarpamp -
Klaus Layer -
Olaf Selke -
Paul Staroch