4444jbp

Every now and then I tend to "geek out" and so I figured I'd start a blog to post my progress.

The latest thing I've been hacking on is a security system for my computer ... there are lots of script kiddies out there now, and if you turn on a brand-new computer, they say it will be "rooted" or compromised within minutes. In my own computer's logs, I'm seeing 2-10 brute-force attempts to login by random machines. Generally, these are very easy to detect:

Jul 31 23:03:35 192 sshd[32563]: Illegal user admin from 200.220.192.86
Jul 31 23:03:35 192 sshd(pam_unix)[32563]: check pass; user unknown
Jul 31 23:03:35 192 sshd(pam_unix)[32563]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=nagios.nqt.com.br
Jul 31 23:03:37 192 sshd[32563]: Failed password for illegal user admin from
200.220.192.86 port 52533 ssh2
Jul 31 23:03:39 192 sshd[32565]: Illegal user admin from 200.220.192.86
Jul 31 23:03:39 192 sshd(pam_unix)[32565]: check pass; user unknown
Jul 31 23:03:39 192 sshd(pam_unix)[32565]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=nagios.nqt.com.br

Basically, they're just trying random passwords into widely-used usernames -- admin, betty, bob, joe. But they also try it a few times at each of 50 different usernames, so they could slowly figure out a correct combination.

My approach has been to give them 3 tries to get in, then I start dropping all their packets -- it's as if my computer never sees them again. If it is a legit user, they'll probably get their password right in 3 tries, so it isn't a big inconvenience to real users.