On Sunday 30 October 2005 00:15, Allen wrote:
On Sat, Oct 29, 2005 at 03:29:52AM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2005-10-28 at 19:53 -0400, Allen wrote:
SSHd is blocked by default on SUSE.... Why are you running it?
The daemon is enabled by default, I think. It might be closed in the firewall, though. <snip> Not weird at all. I get attempts as soon as I connect trhough my V90 modem (dial up dynamic address). There are people out there running port scans continuosly, using scripts. Most try ports 445, 135, 139... or wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
<snip>
They try the guest account because some installs have it, and several other "typical" names. There was a problem in sshd by which the attacker could determine if the name was valid by measuring the response time of the server, which was diferent if the user existed or not. Once they find a user name, they launch a dictionary attack on it.
That hole was plugged.
1- During installation there is a check box to allow ssh in through the firewall. (SUSE 10) 2- By default SUSE starts sshd. 3- There is a know "Brute force" attack against ssh being done in "slow motion" over the last 2 years or more. This is why lots of people change te port sshd is running on. For more information on the attack see For more info on the attacks see: http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/ http://seclists.org/lists/incidents/2004/Jul/0097.html I once had a link to an article done by a security company that caught the intrusion via a "honeypot". But after searching for an hour, I give up... Jerry