On Fri, Jun 30, 2017 at 9:36 AM, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
It's not necessarily a target on *you*, but very probably it's just
targeting any computer that responds to them. Poke, get a response,
keep prodding...
Yeah, pretty much all of this is totally automated these days. There are programs out there that just probe the entire IP address space looking for exposed ssh servers, and when one is found, a list of account name/password combinations is tried. They are looking for *very* low-hanging fruit. If any login attempt actually succeeds, it is reported for further investigation.
If you have an exposed ssh server, you will see this kind of doorknob-rattling. I get around it in one of four ways: 1) Turn off sshd if I don't really need it on a given system; 2) Use firewall rules to allow access only from certain known remote locations (so I can get into my home system from my desktop at work, for instance); 3) run sshd on a non-standard port (won't stop the serious bad guys, but is usually good enough to stop the automated doorknob-rattlers); and 4) If you really have to have an ssh server that allows access from unknown remote locations, run something like fail2ban that at least automatically blocks them if they try too often from the same place. And the most important thing is, any of these defenses can fail if you make a mistake configuring them (won't happen because we're all perfect, right? :-) , so the most important thing you can do is use strong passwords so that the brute force guessing cannot succeed.
--Greg
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx