Journal damn_registrars's Journal: A distributed hack attempt 2
The last several days have been trying for my webserver at home. Not because of traffic, which is always minimal. Rather, it appears that a bot-net has been employed to try to compromise my webserver root password.
On July 9th alone, there were attempts to log into my system via ssh as root from over 240 different IP addresses. Most addresses appeared to make only one or two attempts and then give up, never to be seen again. Of course none of them succeeded.
I find this interesting, because it is the opposite of what I usually see. I often see individual computers make several hundred attempts to get in as root. Even more often I'll see individual computers go through a very long list of common names to try to get in as a non-root user. But these systems were only trying root.
I'm not even sure how to address this issue. I have approximately no fear of them getting in as root - that is disabled on this system anyways. Even if they cracked the password, they still wouldn't be allowed in as root. I supposed I could just ignore it, since this uses a trivial amount of bandwidth, with an attempt only around every 20 minutes. I have the logs of which system tried when and how.
When the "usual" attack happens - one system, many attempts - I contact the ISP immediately with the logs. But if I wanted to contact the ISP for this, I could be trying for dozens (or even hundreds) of ISPs, likely in many foreign countries.
On July 9th alone, there were attempts to log into my system via ssh as root from over 240 different IP addresses. Most addresses appeared to make only one or two attempts and then give up, never to be seen again. Of course none of them succeeded.
I find this interesting, because it is the opposite of what I usually see. I often see individual computers make several hundred attempts to get in as root. Even more often I'll see individual computers go through a very long list of common names to try to get in as a non-root user. But these systems were only trying root.
I'm not even sure how to address this issue. I have approximately no fear of them getting in as root - that is disabled on this system anyways. Even if they cracked the password, they still wouldn't be allowed in as root. I supposed I could just ignore it, since this uses a trivial amount of bandwidth, with an attempt only around every 20 minutes. I have the logs of which system tried when and how.
When the "usual" attack happens - one system, many attempts - I contact the ISP immediately with the logs. But if I wanted to contact the ISP for this, I could be trying for dozens (or even hundreds) of ISPs, likely in many foreign countries.
Doubt it's a botnet (Score:2)
Unless your webserver is extremely high-profile, it's doubtful this is a co-ordinated effort. There's been shift in the recent SSH attacks that started last year, where they're exclusively trying root, rather than other accounts. (Check the passwords that are tried - you'll likely see the same ones from different accounts.)
Most addresses appeared to make only one or two attempts and then give up, never to be seen again
This pretty much proves it's not a botnet or co-ordinated effort - if someone had the resources to hit your server (which means they believed it to be possible), they'd just keep poundi
Re: (Score:2)
Unless your webserver is extremely high-profile, it's doubtful this is a co-ordinated effort.
I can tell you that this recent SSH traffic exceeded my usual level of web traffic by a large margin. Which is why it surprised me, too.
There's been shift in the recent SSH attacks that started last year, where they're exclusively trying root, rather than other accounts.
When I dug further into my logs, I found both types of attempts, though from different IP addresses. The addresses that attempted root attempted only root, and the ones that ran through a grocery list of login names attempted pretty much everything you can think of except root (including some amusingly vulgar names).
This pretty much proves it's not a botnet or co-ordinated effort - if someone had the resources to hit your server (which means they believed it to be possible), they'd just keep pounding on it with all the machines they had.
I guess I take the opposite view of this. Sure, a bo