Random Entry: MSN South Korea Hacked due to bad patching
< Windows 2003 Server and the Patchlab | WUS Public Beta Released >
< Windows 2003 Server and the Patchlab | WUS Public Beta Released >
The ISC has been talking about an increase in SSH brute force scanning attempts around the world. Here are some of their posts:
This resulted in some activity from our sysadmins resulting in this e-mail sent to the organisation, detailing how to lock down your ssh. The snip I am interested in is:
"Over the last month or so, Rhodes has seen a significant increase in the number of attempts to break into systems running SSH daemons. These attempts take the form of a dictionary style attach against the root user account and are often logged as failed attempts in the system logs. At peak times we're seeing roughly six hundred attempts a day on various systems at Rhodes. So far at least one student machine has been compromised through a weak root password."
I am not a sysadmin nor am I part of running our Universities systems, which gives me the luxury of comment. Was this the best way of handeling this incident? If the ISC has been warning about SSH attacks since August and the sysadmin's had been seeing the same things here, then why not issue this warning before a successfull attack? There are other issues involved and I wouldn't mind some feedback. For example is this a 'scare tactic' that will eventually get security warnings ignored? Does anybody running a Unix machine even read Toplist?
- http://isc.sans.org/diary.php?date=2004-08-22
- http://isc.sans.org/diary.php?date=2004-08-29
- http://isc.sans.org/diary.php?date=2004-08-30
- http://isc.sans.org/diary.php?date=2004-09-11
- http://isc.sans.org/diary.php?date=2004-11-02
- http://isc.sans.org/diary.php?date=2004-11-04
This resulted in some activity from our sysadmins resulting in this e-mail sent to the organisation, detailing how to lock down your ssh. The snip I am interested in is:
"Over the last month or so, Rhodes has seen a significant increase in the number of attempts to break into systems running SSH daemons. These attempts take the form of a dictionary style attach against the root user account and are often logged as failed attempts in the system logs. At peak times we're seeing roughly six hundred attempts a day on various systems at Rhodes. So far at least one student machine has been compromised through a weak root password."
I am not a sysadmin nor am I part of running our Universities systems, which gives me the luxury of comment. Was this the best way of handeling this incident? If the ISC has been warning about SSH attacks since August and the sysadmin's had been seeing the same things here, then why not issue this warning before a successfull attack? There are other issues involved and I wouldn't mind some feedback. For example is this a 'scare tactic' that will eventually get security warnings ignored? Does anybody running a Unix machine even read Toplist?
I just ran into someone trying an ssh brute force on one of my machines. Snort picked up 333 instances of “Potential SSH Scan” from the machine but my auth.log had 1623 illegal user attempts from sshd and another 136 attempts logged by iptab
Tracked: Aug 04, 03:55