Brute Force SSH Hacking Attempt on My Server; Guess Who Was Responsible?

By Angsuman Chakraborty, Gaea News Network
Monday, August 28, 2006

I faced serious hacking attempts from a server owned by my dedicated web hosting provider, LayeredTech. More than 23, 000 brute force attempts were made on ssh server alone. And over 13000 attempts recorded in messages log files. What surprised me most was the machine from which the attack originated. You cannot even begin to guess.

I emailed my dedicated web hosting provider with a sampling of my log files.

They promptly took action and emailed their customer who owned the address. I was surprised to find the attack originated from CalTech university servers!

Caltech admin promptly responded and blocked a particular ssl account which was apparently compromised by AOL’ers.

It shows that anyone, how big or famous, can be compromised. All it takes is a single vulnerability or weak password or social engineering.

Fortunately my server wasn’t compromised in this attack, primarily because of unguessable user accounts and strong passwords. However there is no room for complacency.
Filed under: Computer Security, Headline News, Web, Web Hosting, Web Services
Discuss Bellow
Discussion

Angsuman Chakraborty
August 31, 2006: 9:49 am

Chris, Thanks for the idea .

chris
August 29, 2006: 8:55 am

look into recent state match for iptables and forget about ssh brute force attacks…

anjan bacchu
August 29, 2006: 12:30 am

hi angsuman,

I know that there are lots of tutorials for password management. can you share what you generally use ? like size, case, etc ?

thank you,

BR,
~A

Angsuman Chakraborty
August 28, 2006: 9:35 pm

That is very true. I find LayeredTech very aggresive in handling such issues, may be even too aggresive. They give you an ultimatum of 6 hours or else face disconnection!

Joey Gibson
August 28, 2006: 3:36 pm

Be thankful that the attacker was in the US. I have had hundreds of thousands of attacks like what you describe, but originating outside the US. Most of my attacks have been from China, Korea, Japan and Argentina. Complaints to ISPs in those countries are as effective as yelling at my monitor.

Angsuman Chakraborty
August 28, 2006: 9:50 am

I use iptables to block ip addresses. I am thinking for more proactive blocking like DenyHosts to block while an attack is in progress. Thanks for the suggestion.

Bob
August 28, 2006: 8:49 am

someone needs DenyHosts on their server
YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :
 
Submit