SSH login attempts

Hi every InterWorx enjoyed users :slight_smile:

Last few weeks I receive a lot of SSH login attempts. After a look on the net I found this.

I know it’s not about interworx but I just like to advertised you. If moderator feels that this post not have to be here he may delete it or move it :slight_smile:

So be carreful.
A solution could be (I’ve done this one) To more secure your SSH login to change the AllowUsers keyword in /etc/ssh/sshd_config to lock down access to only known users.

There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:

Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX

Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of a unknown exploit has not been ruled-out.

All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possiblity of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)

Further information about this tool and failed sshd logins can be found here:
http://lists.netsys.com/pipermail/f...uly/024612.html
http://dev.gentoo.org/~krispykringle/sshnotes.txt

Pascal