MORE SSH Hacking: heads-up

[Scot L. Harris]

On Sat, 2004-07-31 at 16:56, Christopher J. Bottaro wrote:
> would someone like to explain what is going on to a newb?  yall are 
> suffering hacking attempts from korea?  or are the addresses spoofed 
> from korea or something?  thanks.

It appears that a number of people have noted login attempts on the ssh
port.  Many of these attempts appear to be from systems with IP
addresses located in Korea.  Not really surprising.  Attempts like these
occur all the time across the Internet.

Tools such as nessus make this very easy to scan huge pools of IP
addresses for easily exploited systems.  This particular attempt appears
to be automated and is probably a special purpose tool written that is
looking for some particular type systems with known default user account
names/passwords.  It is possible that it is a virus that is trying to
spread but viruses normally use a different method (mass emails primarly
or compromised web servers).

For the most part this is normal on the Internet.  As long as you use
strong passwords (8 characters or more, upper/lower case, numerics,
special characters, non-dictionary based) and disable any services you
don't actually need/use as well as use a firewall (both hardware and
iptables) and keep your system patched there should be little to be
worried about.

The Internet is and has been a hostile space for some time.  If you
really want to see what is going on setup a system with snort or use
ethereal and connect directly to a cable or dsl router.  The number of
port scans and attempts at accessing your system may surprise you.  

There is not a whole lot you can do about it except take precautions.  
Running chkrootkit and tripwire can alert you if something changes that
should not.  But if you do the other things mentioned above you should
have little to worry about.  Spending a lot of time and effort to track
them down is not really worth it IMHO.
 
-- 
Scot L. Harris
webid at cfl.rr.com

Most burning issues generate far more heat than light.