[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: SSH and Telnet ports

To: or-talk@xxxxxxxxxxxxx
Subject: Re: SSH and Telnet ports
From: "Kasimir Gabert" <kasimir.g@xxxxxxxxx>
Date: Sun, 14 Dec 2008 13:41:15 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 14 Dec 2008 15:41:20 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=2/FPDz+Q2zHZAuXc+KJN+SiAOURdVS88rPEEDbAFV/4=; b=p4zY0iB3qte7J4NKjZh9t9nx7S1Ie++MlPAWEA+FO04ZxDVvWSLLvEPGZmwmetu1LX UX14+7fIhiU8DlAgYD6GY7bSKiBJZeKSSUM5C9XA2oqA2JK9ghq3cUvPzuFfnVU6fkfP C041CRsHplUqsxdCSJ1ZWhD46A2CryqK3wKKg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=f1uFBVst8EOl6nOAXqX8AOc+7kl2EB9fzeD1iHhxS9Po7KarHsOJPvEbetvAv6+i9f N9d0nNAH+oVH3ibpsWcnVw3ny32gyO1KE4QEkNnJu1E1N1oo1PwjkwU3kvuWQP2vfKtS oqC69JPTpIraf/9R8jJOlSpokGoqVXt5C9iUY=
In-reply-to: <49456326.30806@xxxxxx>
References: <f63c4b2d0812141015q39c22941w856af2853230e165@xxxxxxxxxxxxxx> <20081214183613.GC30753@xxxxxxxxxxx> <52836a540812141038w40804d5eoe433e243709a9877@xxxxxxxxxxxxxx> <49456326.30806@xxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Sun, Dec 14, 2008 at 12:48 PM, Dominik Schaefer <schaedpq2@xxxxxx> wrote:
> Kasimir Gabert schrieb:
>> On Sun, Dec 14, 2008 at 11:36 AM, Christopher Davis <loafier@xxxxxxxxx>
>> wrote:
>>> How practical is SSH password cracking over Tor? Wouldn't the latency
>>> deter attackers?
>> I have received about 70 brute force ssh attempts on my Tor node in the
>> past month from other exit nodes.  I'm not sure what the pay off is, but
>> the attacks are occurring.
> Three servers I maintain receive about 60 of those dumb and ridiculous login
> attempts per hour. They are not running any Tor relay und are not especially
> 'big' in terms of number of users or publicity. Clearly, the originator does
> not target Tor nodes specifically. ;-) As these logins are coordinated (same
> username on 3 machines within the same second), it seems to be some botnet.
> Concerning the aspect of using Tor to target others: I would be very surprised
> if anyone actually tries to use Tor for this, ordinary botnets of owned
> machines are completely sufficient.
>
> Dominik
>
>
>

Hello Dominik,

Thanks for the information.  I run denyhosts, and receive ridiculous
numbers of these connections to my servers as well.  I ran a quick
script to grab what denyhosts had blocked, and determined how many of
those connections were from Tor exit nodes.  Quite a large number!

On my other boxes I seem to get less of the Tor exit node attacks for
some reason, although I do still receive roughly the same number from
botnets.

Kasimir

-- 
Kasimir Gabert

Follow-Ups:
- Re: SSH and Telnet ports, tip: change the sshd port
  - From: xiando

References:
- SSH and Telnet ports
  - From: Mitar
- Re: SSH and Telnet ports
  - From: Christopher Davis
- Re: SSH and Telnet ports
  - From: Kasimir Gabert
- Re: SSH and Telnet ports
  - From: Dominik Schaefer

Prev by Author: Re: SSH and Telnet ports
Next by Author: Re: Need help with MPAA threats
Previous by thread: Re: SSH and Telnet ports
Next by thread: Re: SSH and Telnet ports, tip: change the sshd port
Index(es):
- Author
- Thread