Damn, better change all my PWs

I know so many people who use the same password for everything. looking through the logs on my server was a real eye opener:

ssh_logins.txt

!!

I should probably use fail2ban to save resources, but I find it interesting and I only use publickey authentication.

Wow! For nearly a week someone in Russia, from a single IP address, was pounding on your server every few seconds! And, on the last couple days to be joined by another person from a single IP address in China. More than likely it was government agents in those countries.

That's not uncommon, either!

Seriously though, if you were going to write a script to try to guess SSH logins, wouldn't you try a few and if they all gave you "Permission Denied: Publickey" responses just move on? I know you only get that response if you try to log on as a valid user, but still... It must cost money to beat your fists bloody on the gates. My hypothetical script would give up sooner.

I'm not familiar with these types of attacks but reading the logins I recognise a pattern in the names, like it starts with a whole bunch of Italians and then moves to what I assume are Americans.
Seems to me the attacker has lists of login credentials from different sources and is just trying these keys on your lock regardless of the chance Italians are typical visitors to this site.
Brute force al right!

About that top password in the ATT honey pot, what's the attraction of 14060?

The thing is, that's not even the whole log! Pretty sure the log file was rotated during the attack, I'll check later.

14,060 is the number of users with the password "password".

I agree with Teunis, the attack seemed to be based on a list of users and passwords, tried one after another, hence the reason why those two attackers spent 5 days attacking. 30 per minute, 1,800 per hour, 43,200 per day, over 200,000 for the 5 day period. 200K is about the lot size stolen passwords are sold in.

Ahhhhhh, 14060 dofus using password as their password
Hmmm....

200,000 per lot, you know some funny business

Some more info (older), in case you're interested:

^ a neat little trick I just learned, the forum has a 1000KB filesize limit for text files

Feathers

Reminds me of Spaceballs! Remember the Air Dome password which coincidentally was President Skroob's password on his luggage!?


http://www.youtube.com/watch?v=WzEz-SHJbB0

That's the first time I've seen that, made me LOL!

Oh, you have to watch the whole thing! Classic in my opinion!

Thanks for the info about the text file size limit!

I noticed a pattern in the text file:
Notice that if the name wasn't in your list of users the connection was marked invalid. Some connections are sequential "Received disconnect from ...". Did they hit upon a valid name but failed to use a valid password?

My server accepts publickey only for all users, so even if they guessed the right name they would be disconnected. Some of the disconnects are grouped together in a block in the logs, they're not always in a "connect, disconnect, connect, disconnect" order. The "admin" username login attempt would be interesting but it's too far back in the logs and has been discarded, I suspect they got a "Permission denied: publickey" response and moved on.

Feathers

Interesting thread!

At the college we have to change our passwords every six months or so, and there are those who say that such a policy makes little or no difference, don't know, it has to be done so I do it.

I really DID try to come with really oddball number/letter combos etc. but after a while the MS system.......said that the passwords were no good! :0

I got really irritated, because I've fiddled with passwords and the theory of them for quite a while. Annnnn, I do gotta say that there is a theory that what happened next is a good method.

Here is one talking head that says use "words" and also there is discussion of alternate strategies, from 2011 but probably still of some use.

http://readwrite.com/2011/01/21/why-...owQoCgIekQtkl2

Here is a talking head that says use numbers.....or a really loooonnnggg word! lol

http://netsecurity.about.com/od/news.../realwords.htm

As a joke after about, don't remember, ten attempts...........I typed in the name of an enzyme and the number 01, usch as Amylase01.

And microsludge declared that on a scale of one to ten that the password was a fifty! .........there were trumpets blaring, the windblows flag was flying across the page.

Since then I just pick a random street name and put 01 on it.

and since this is an academic setting...........hhhhaaarrruuumph....academics do it right! I will just follow my muse!

woodMr.Mxyzptlksmoke