[Beowulf] Re: "hobbyists"

[Lombard, David N]

On Fri, Jun 20, 2008 at 12:15:39AM -0400, Perry E. Metzger wrote:
> 
> "Robert G. Brown" <rgb at phy.duke.edu> writes:
> > Do you have an recent contemporary evidence for that?
> 
> Yes, Run a box with sshd on it connected to the internet and watch your
> logs for a few days. You will find numerous attempts to try thousands
> of possible account names and passwords -- brute force cracking.
> 
> Here is an extract from the log on a real machine, one of mine, from
> last night:
> 
> Jun 19 20:56:53 smaug sshd[2577]: Invalid user secretariat from 70.90.14.154
> Jun 19 20:56:54 smaug sshd[2522]: Invalid user secretar from 70.90.14.154
> Jun 19 20:56:55 smaug sshd[23949]: Invalid user present from 70.90.14.154
> Jun 19 20:56:56 smaug sshd[3440]: Invalid user test from 70.90.14.154
> Jun 19 20:56:57 smaug sshd[8809]: Invalid user test from 70.90.14.154
> Jun 19 20:56:58 smaug sshd[21600]: Invalid user teste from 70.90.14.154
> Jun 19 20:56:59 smaug sshd[314]: Invalid user teste from 70.90.14.154

Yeah, I get that all the time too,  I use an /etc/hosts.allow filter to
temporarily block those idiots after three such attempts.

> It goes on and on and on. There are countermeasures you can run to
> block the zombies trying to guess passwords, but I rarely bother since
> none of my machines allow password based login so their attempts are
> useless anyway.

Same here, so agree to the futility.  But, why suffer the endless churn?
If left alone, some will pound away for hours.

> > But weak passwords that are brute force guessed[...]?
> > Only on a poorly managed network,
> 
> That would be 95% of networks. I've done a lot of network audits in my
> day, too.

Yup.  Just fire up any Wifi kit and look at the visible networks.  Also
don't forget SC's wall of shame...

-- 
David N. Lombard, Intel, Irvine, CA
I do not speak for Intel Corporation; all comments are strictly my own.