Rickroll connections to port 22
So anyone running a *nix server with ssh running has to deal with stuff like this:
Since then, I've switched to key based authentication and moved ssh to another port. I do have denyhosts running. What I'm debating doing is to figure out a way I can piss off some script kiddies by doing a blinkenlights style rickroll for anyone who tries to connect to my servers via port 22. Does anyone think this is possible, or is this a dream?
(Yes, those were real brute force attempts. The moron couldn't spell.)My server's auth.log wrote:May 27 07:54:51 ukyo sshd[2345]: Invalid user adinminstartor from 113.200.67.186
May 27 17:15:06 ukyo sshd[29228]: Invalid user rot from 113.200.67.186
Jun 10 01:16:39 ukyo sshd[23684]: Invalid user defloy from 113.200.67.186
Jun 10 01:16:48 ukyo sshd[23686]: Invalid user dekpliy from 113.200.67.186
Jun 10 02:58:30 ukyo sshd[28501]: Invalid user deploy from 113.200.67.186
Jun 10 06:58:55 ukyo sshd[8136]: Invalid user defplonie from 113.200.67.186
Jun 9 15:51:29 ukyo sshd[28127]: Invalid user apachie from 113.200.67.186
Jun 16 22:55:45 ukyo sshd[30311]: Invalid user ftp from 113.200.67.186
Jun 17 08:51:44 ukyo sshd[28846]: Invalid user aparche from 113.200.67.186
Jun 17 14:21:49 ukyo sshd[12604]: Invalid user gast from 113.200.67.186
Another guy:
Jun 10 15:28:49 ukyo sshd[733]: Invalid user admon from 223.4.210.143
Jun 10 15:28:54 ukyo sshd[735]: Invalid user addmin from 223.4.210.143
Jun 10 15:55:41 ukyo sshd[1946]: Invalid user admin from 223.4.210.143
Jun 11 00:05:11 ukyo sshd[29697]: Invalid user ts from 223.4.210.143
Jun 11 00:29:30 ukyo sshd[30755]: Invalid user ts3 from 223.4.210.143
Jun 11 15:23:14 ukyo sshd[10158]: Invalid user ts3server from 223.4.210.143
Jun 12 20:51:44 ukyo sshd[31913]: Invalid user usor from 223.4.210.143
Jun 12 21:08:33 ukyo sshd[636]: Invalid user user from 223.4.210.143
Jun 12 21:08:41 ukyo sshd[638]: Invalid user usor1 from 223.4.210.143
Jun 12 21:28:27 ukyo sshd[1561]: Invalid user web01 from 223.4.210.143
Jun 12 15:51:31 ukyo sshd[17520]: Invalid user usorftp from 223.4.210.143
Jun 12 16:12:14 ukyo sshd[18684]: Invalid user userftp from 223.4.210.143
Since then, I've switched to key based authentication and moved ssh to another port. I do have denyhosts running. What I'm debating doing is to figure out a way I can piss off some script kiddies by doing a blinkenlights style rickroll for anyone who tries to connect to my servers via port 22. Does anyone think this is possible, or is this a dream?
Comments
It shouldn't be too hard: All you need is an SSH server that'll accept everything and everyone and drop rick.sh on them.
Worth nothing, OpenSSH can show a banner before a login attempt is made. A lot of times you'll see this on a server saying something about 'all access attempts are logged' or something otherwise to scare people away.
Since we're on the topic of openssh, have you guys noticed brute forcers disconnecting on one failed connect and automatically reconnecting? Seems like by doing that they've been able to bypass denyhosts unless you either change failed attempts to 1 or manually add them to hosts.deny. Not like those guys can do much, as passworded logins are disabled. It's as successful as trying to melt a glacier with your own piss.
Also, snort works pretty good as an IDS/IPS system.