Note to LEAF users on ssh logins

[Devon H. O'Dell]

On Wed, 2005-03-02 at 19:23 -0800, Matthew Dillon wrote:
>     Leaf and, in fact, all of my machines which have open ssh ports are getting
>     random hack attempts, about 20-30 a day in short bursts, usually from a
>     different IP address each day.  I talked with a few sysop friends and
>     their boxes are getting similar traffic.  The hack attempts primarily
>     try to ssh to root, admin, and a bunch of microsoft-soundy names.  It looks
>     fairly coordinated, like it is trying a couple of passwords a each day
>     then trying again with different passwords the next day.
> 
>     While none of my machines allow passworded logins over ssh (especially
>     not for root), and LEAF accounts are all '*'d out (key only logins),
>     I am rather disquieted by the continuous attempts so I have written and
>     intalled a little program to monitor the syslog which will automatically
>     block failed password or illegal user login attempts. 
> 
>     It isn't very refined yet so if you find yourself locked out of leaf
>     send me an email!
> 
> 					-Matt
> 					Matthew Dillon 
> 					<dillon at xxxxxxxxxxxxx>

These attacks are based on a silly brute-force exploit that has been
attacking miscellaneous SSH servers for years and has caused tons of
fuzz on various mailing lists. Basically, it simply tests user/user
combinations to log in. Perhaps there's a ``more sophisticated'' version
that is now doing dictionary attacks, but I don't think that's feasible
at 20 to 30 per day. FWIW, my server gets in the range of 100 - 300 per
day and has for about 5 or 6 months now.

However, since it's still a popular question on lists (I've heard
several questions about it recently, actually): would you post this
script somewhere so I can refer people to it when they ask? This is
usually the first thing asked for :)

--Devon