Assurance

["Joe St Sauver" <>]

Scott Cantor commented:

#We do have hard evidence from logs that nobody's brute forcing our
#accounts (literally nobody). Phishing is far simpler and more effective.

I think it varies from site to site. If you're not blocking ssh at your
border, and you're not taking other measures to limit ssh attacks
(such as using port knocking) I virtually guarantee that you'll see 
ssh attempts against any Internet-exposed sshd's.

For example, just looking at one local system, I'm seeing...

Jun 20 08:30:00 [redacted] sshd[29780]: Invalid user als1331 from 
91.90.121.171
Jun 20 08:30:02 [redacted] sshd[29792]: Invalid user bruce820 from 
91.90.121.171
[etc]

Just to save the curious the trouble, that IP belongs to these guys:

% whois 91.90.121.171
[snip]
inetnum:        91.90.120.0 - 91.90.127.255
netname:        IZO-NET
descr:          IZO GROUP NETWORKS S.R.L.
country:        RO
org:            ORG-SIGN3-RIPE
admin-c:        GG2714-RIPE
tech-c:         GG2714-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         RO-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     IZO-MNT
mnt-domains:    IZO-MNT
source:         RIPE # Filtered

organisation:   ORG-SIGN3-RIPE
org-name:       IZO GROUP NETWORK SRL
org-type:       OTHER
address:        Str.Lanternei Nr.14
address:        Bucuresti Sector 2
address:        Romania
phone:          +40-721295584
admin-c:        GG3813-RIPE
tech-c:         GG3813-RIPE
mnt-by:         RO-MNT
mnt-ref:        RO-MNT
source:         RIPE # Filtered

person:         GEORGESCU GABRIEL
address:        SC IZO GROUP NETWORK SRL
address:        Str.Lanternei Nr.14
address:        Bucuresti Sector 2
phone:          +40-721295584
nic-hdl:        GG2714-RIPE
mnt-by:         IZO-MNT
source:         RIPE # Filtered

Oh, and those odd usernames? They appear to be among those mentioned on
http://www.moehre.org/bruteforce/bruteforce.txt , so we're not the only
ones seeing this sort of activity...

Regards,

Joe