Hi, within two days I received abuse complaints from my ISP that someone used my exit node to brute force ssh accounts of two different ISP. Unfortunately I am forced to block port 22 to avoid shutdown. Anyone else who suffered from such attacks these days? Regards, Klaus
Just received another one. Is someone doing a widespread brute force? Hope my ISP keeps cool. Regards, Klaus
We haven't seen anything out of the ordinary. Here's the normal response we give for ssh bruit force complaints: https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates#SSHBrute...
This 'attack' has been going on for YEARS. Nobody's really getting shells (well some are), just dictionaried. The problem is that OpenSSH logs this by default and people freak out when they see it in their logs. It's just background noise. Real admins tune it out and use ssh keys instead.
On Sunday 01 January 2012 23:36:13 grarpamp wrote:
I wrote a shell script that watches the logs and shuts off all access from an address that starts guessing passwords. My Linux box (which is what you get entering on port 22) doesn't have a root password (I use sudo), so anyone who tries to guess root passwords gets nothing but the door slammed shut in his face. Others try guessing "sales", "pgsql", "tony", "newsletter", "visitor", etc.; I don't think I've ever seen any guess my real username. cmeclax
On Sat, Dec 31, 2011 at 07:59:31AM +0100, Klaus Layer wrote:
We've seen some claims of port 22 attacks, as well. I think the rate has been fairly consistent over the last several months, though. We send our standard explanation and offer of assistance (DNSBL, suggestions of how to rate-limit, reminders that it's the server's responsibility to secure their own systems). -andy
participants (7)
-
Andy Isaacson -
cmeclax-sazri -
Damian Johnson -
grarpamp -
Klaus Layer -
Olaf Selke -
Paul Staroch