Sunday, November 11, 2007

What is the deal with Asian hacking?

The hardware firewall on my mother's network was having a problem so I had her plug her computer straight into the cable modem. I realized that this isn't the best idea, but it's a Mac, so the only way someone could get in is if they guessed her username and password which were both strong.

However, I was alarmed when I took a peek at her security logs (/var/log/secure.log) to see so many attacks over SSH - primarily from from Asia (China, Korea, and India). Here's a small sample:

Nov 10 13:57:27 MacBook-Pro sshd[11704]: Invalid user admin from
Nov 10 13:57:28 MacBook-Pro sshd[11706]: Invalid user test from
Nov 10 13:57:29 MacBook-Pro sshd[11708]: Invalid user imaging from
Nov 10 13:57:31 MacBook-Pro sshd[11710]: Invalid user oracle from
Nov 10 19:20:41 MacBook-Pro sshd[12097]: Invalid user test from
Nov 10 19:20:45 MacBook-Pro sshd[12099]: Invalid user guest from
Nov 10 19:20:49 MacBook-Pro sshd[12101]: Invalid user admin from
Nov 10 19:20:53 MacBook-Pro sshd[12103]: Invalid user admin from
Nov 10 19:20:57 MacBook-Pro sshd[12105]: Invalid user user from
Nov 10 19:21:13 MacBook-Pro sshd[12116]: Invalid user test from
Nov 10 20:23:04 MacBook-Pro sshd[12152]: Invalid user apple from
Nov 10 20:23:09 MacBook-Pro sshd[12157]: Invalid user brian from
Nov 10 20:23:15 MacBook-Pro sshd[12162]: Invalid user andrew from
Nov 10 20:23:20 MacBook-Pro sshd[12167]: Invalid user newsroom from

Each attack would last between five and 20 minutes and they'd all go for the low hanging fruit such as common usernames and passwords. One solution is to simply change the SSH port from 22 to an obscure port.

I'll be keeping a close eye on those logs.

No comments: