How often do people try to bruteforce your systems?

TNGL · 15 Dec 2011 at 18:49

Well, I was just having a look in my home server's event logs, and unsurprisingly... people have been trying to bruteforce it. So I'm just collecting their IPs and blocking them now... not the most efficient method

So, how often do people try and bruteforce you? And what countermeasures do you have in place in order to prevent it (I'd be interested to know).

EDIT:
Just in case you're wondering how I'm blocking their IP addresses, I'm doing it by creating an endpoint connection security rule in Windows Firewall. Hopefully I'll be able to knock something up in VB.NET to do this automatically at some point.

aln · 15 Dec 2011 at 19:01

I have one server which doesn't really host anything interesting. I run a comms server, some uni projects, and a single static HTTP page yet I've still managed 1000 banned IPs since July.

PistolPete · 16 Dec 2011 at 03:05

Don't get that many brute forces, but I do see LOTS of ip/port scans.

anything I don't mind · 16 Dec 2011 at 09:00

My home pc is under constant scan and infiltration attempts.

After installing pfsense and snort, i can see how extensive it realy is. Everyday i will block scans and connections attempts on port 445 (windows file sharing port) and other known exploit ports.

I also have a freebsd webserver that is on the net with only pf and I see constant incorrect root login attempts and password brute force attempts, but that has gone down a lot since I restricted ssh to specific ip, but amazingly they still get through sometimes, but never get my huge passwords with ASCII

Lanz · 16 Dec 2011 at 12:34

a lot of it depends on what ISP you're on, if you're on one of the biggies like BT or Virgin, then you'll see loads due to virus activity that is scanning there own subnets.

95% of these attacks are automatic virus attacks, worms trying to get onto other PCs, they arent really individuals targeting you.

growse · 16 Dec 2011 at 13:01

Never. They're not on a public network.

KIA · 16 Dec 2011 at 16:08

groen said:
I also have a freebsd webserver that is on the net with only pf and I see constant incorrect root login attempts and password brute force attempts, but that has gone down a lot since I restricted ssh to specific ip, but amazingly they still get through sometimes, but never get my huge passwords with ASCII

Your configuration is b0rked. Start using public key authentication.

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Good times.

@Tingle Start using VPN. Hamachi is good.

Hulkster · 17 Dec 2011 at 11:44

KIA said:
Your configuration is b0rked. Start using public key authentication.

PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Good times.

@Tingle Start using VPN. Hamachi is good.

Seconded!

Also worth looking at fail2ban for automatically blocking repeated attempts to login.

Because so much of the activity is automated as mentioned, a little "security by obscurity" can also be a bit of help too...though of course purely as an addition to whatever you already have.

Changing the port which SSH listens on for instance, will probably show a reduction in failed logins becuause lots of stuff will simply target port 22. If you server is mainly used by you/a small number then changing port numbers isn't much of a hassle.

You can set up a honeypot too...something such as honeyd

anything I don't mind · 19 Dec 2011 at 08:35

I might switch to key auth because I lost my static ip (because BT want charge £5 per month for a dhcp ip with long lease) and can not get pf to update with dynamic dns, i tried creating a table and then using cron script to update it, but it did not work. I was looking for another solution but key files might be better than blocking the port anyway.