

Honeypot analysis - Looking closer at SSH scans (user and passwords used) - j_lagof
http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html

======
ddbb
Good job researching those pesky brute force scans. Is there anyway you can
post the complete list with all the data collected instead of just the top 50?

------
jhancock
Nice analysis.

[advice for those not doing it right]: if your sshd config allows id/pw login,
turn this off and only use kays. Also, move your sshd listener port to
something besides 22 to eliminate most of the bot login attempts in your log
files.

~~~
ddbb
You know, lots of people talk about using keys instead of passwords... By
doing that if you box is compromised, the attacker will get access to ALL your
boxes.

So, the best option is to use an encrypted ssh key (so you have the type the
pass everytime) or a good/different password for every box.

~~~
gchpaco
When you log in to an ssh host using a public/private key pair, the server
only sees the public key. So by breaking and entering the attacker can disable
your ability to log in in this fashion (by deleting the key) or can enable you
to log in somewhere else (by copying the key, probably useless) but they
cannot use that key to log in somewhere else absent modification of the SSH
server. And even then I doubt they could get the private key, although they
could probably run a MITM attack.

~~~
whimsy
I believe s/he meant if the box you are using to log in is compromised, then
all boxes your box has access to (by way of the private key it has in its file
system) are compromised, whereas it seems you interpreted the comment to be
implying that the host to which you are logging in (which only has the public
key in its file system) has been compromised.

The point is that the computer on which you type becomes a lynch-pin.

~~~
gchpaco
Yes, if you have a computer with a private key that is available to the
internet, and it gets knocked over, you're dead. Just as you would be if he
knocked it over and installed a keylogger and you were using passwords.
Cracked is cracked.

Assuming you are _not_ running services on your main workstation, which is not
that unreasonable (Ubuntu workstations are installed with 0 services available
to the local network; my Mac has 0 services available by default), then you
can get knocked over but it will probably happen because of an browser bug or
something like that, i.e. not an active attack.

The whole point of keys is that knocking over one of the intermediate nodes in
the network _no longer gives you control over everything_. Just because you
rooted my server doesn't mean you can automatically log in to all my other
machines, even if I'm using keys. Keys are better than passwords.

------
bigiain
I wonder if the lack of root:alpine and mobile:dottie indicates the attack
tools are smart enough to know the OS of the box they're attacking, or just a
lack of interest in owning jailbroken iPhones?

