The world according to Sven-S. Porst
« St. Paul’s •
Main
• Broken Language »
223 words
on
Software
Holy freaks, the internet is a rough place!
Being connected to the internet without any NAT or firewall blocking the path – which generally I consider a good thing – I noticed at some stage that my PIDs had grown a lot in a just a few hours. Taking a closer look revealed that sshd processes were being spawned every second or so – Mac OS X.5 seems to launch two fresh sshd processes for each incoming connection. Taking a peek at /var/log/secure.log revealed that whoever did this (IP addresses 71.177.212.128 and 61.19.248.248 ) seems to have a nice alphabetical list of names, expressions, administrative terms and other potential usernames which they run through, testing one or two passwords for each.
Obviously that’s a good opportunity to appreciate the ‘security by obscurity’ approach Unixoid systems take by not telling people whether the login name exists when a login fails and I reckon that actually getting into a machine this way will only work in the most careless cases of password choice. Yet, trying seems to be worth it.
An interesting question would be how many of such connection attempts the MacBook can handle without degrading performance. In a way, performance already degraded at the rate of one attempt per second as the fan seemed to become a bit louder. I hate that fan…
November 22, 2007, 0:55
Tagged as
software.
I noticed all the attempted ssh connections on my home server a couple years ago, and seem to have gotten rid of them by changing my sshd configuration to listen on a nonstandard port. There have been occasions when vulnerabilities have turned up in sshd, so I feel better to have added this additional level of obscurity, while I can still get in readily: I have the nonstandard port number in my .ssh/config file so I almost forget about it.
November 22, 2007, 9:40
That seems to be a good plan – and in fact it’s pretty similar to what I’m doing at home where I put the port that is forwarded to my machine to some non-standard number in the router.
Luckily I’m not on that ‘dangerous’ network that regularly, so it shouldn’t be a huge problem. Just trying to imagine how much real servers which need to be accessed from the outside are probed in such a way, though.
November 22, 2007, 10:07
I see these ssh dictionary attacks all the time (i.e. at least a few times a week.)
November 22, 2007, 17:05
