223 words on Software
Holy freaks, the internet is a rough place!
Being connected to the internet without any NAT or firewall blocking the path – which generally I consider a good thing – I noticed at some stage that my PIDs had grown a lot in a just a few hours. Taking a closer look revealed that sshd processes were being spawned every second or so – Mac OS X.5 seems to launch two fresh sshd processes for each incoming connection. Taking a peek at /var/log/secure.log revealed that whoever did this (IP addresses 220.127.116.11 and 18.104.22.168 ) seems to have a nice alphabetical list of names, expressions, administrative terms and other potential usernames which they run through, testing one or two passwords for each.Obviously that’s a good opportunity to appreciate the ‘security by obscurity’ approach Unixoid systems take by not telling people whether the login name exists when a login fails and I reckon that actually getting into a machine this way will only work in the most careless cases of password choice. Yet, trying seems to be worth it.
An interesting question would be how many of such connection attempts the MacBook can handle without degrading performance. In a way, performance already degraded at the rate of one attempt per second as the fan seemed to become a bit louder. I hate that fan…
I noticed all the attempted ssh connections on my home server a couple years ago, and seem to have gotten rid of them by changing my sshd configuration to listen on a nonstandard port. There have been occasions when vulnerabilities have turned up in sshd, so I feel better to have added this additional level of obscurity, while I can still get in readily: I have the nonstandard port number in my .ssh/config file so I almost forget about it.
That seems to be a good plan – and in fact it’s pretty similar to what I’m doing at home where I put the port that is forwarded to my machine to some non-standard number in the router.
Luckily I’m not on that ‘dangerous’ network that regularly, so it shouldn’t be a huge problem. Just trying to imagine how much real servers which need to be accessed from the outside are probed in such a way, though.
I see these ssh dictionary attacks all the time (i.e. at least a few times a week.)
Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.