Port 22 Not being attacked.

StingRay · #1 10-04-2005, 02:53 PM

I currently get about 5 Brute force attacks a day and find that the attacks never seem to target port 22 (default SSH port).

Is that odd? Seems to me that port 22 is more secure since no one ever trys it lol.

elix · #2 10-04-2005, 03:07 PM

Some script kiddies don't even know what SSH is LOL

#3 10-04-2005, 05:35 PM

My attacks were always on port 22. They stopped once I changed the SSH port to something above 1024.

vps-vince · #4 10-04-2005, 07:26 PM

Beginner question:
Where do you look to see and identify these attacks?

Cheers

guapo · #5 10-04-2005, 08:05 PM

would be at your email if its set up to send you e-mail or at logs files
/var/log
if you do have some brute force program installed like BDF

type at ssh if im not wrong.
tail -f /var/log/bdf

Zaf · #6 10-05-2005, 03:59 AM

Quote:

Originally Posted by guapo

type at ssh if im not wrong.
tail -f /var/log/bdf

the path of the logs look fine, but the command should be

Code:

root@host [~]# tail -f /var/log/bfd_log

StingRay · #7 10-05-2005, 11:27 AM

vince,
BFD sends me an email everytime it adds an IP to the firewall. I currently have it running every 10 minutes (which I intend to get around to changing to daemon), and with it set to 10 min, I quite often get 100's of attempts.

I have yet to see an attempt being made on a port with less than 5 digits. ie 45123, or 32345, etc.

The majority of attacks do seem to target the "root" user though, so i've set out to disable root login.

They also target common names and words, so Ive decided from now on I will make user names created on the server that include a number and are not dictionary words.

chief · #8 10-05-2005, 03:49 PM

Same here (strange port attempts), and there are some damn strange name attempts too.

vps-vince · #9 10-05-2005, 06:55 PM

Tried [~]# tail -f /var/log/bfd_log but it just hangs there doing nothing

I used sftp to download bfd_log.1 bfd_log.2 and so on, and they are empty, zero bytes.

Does that mean all is fine?

Thanks

StingRay · #10 10-05-2005, 08:55 PM

Check /var/log/secure or secure.1 etc
Look for "Invalid user xxx from xxx.xxx.xxx.xxx"

If you have a bunch of those from the same IP, then BFD is not setup properly. (ie could be that it isn't working at all, or you have the allowed attempts too high)