In my opinion, the best SSH client ever is PuTTY Tray. It was originally compiled by Barry Haanstra and can be found here. Recently, the developers of the original PuTTY released version 0.61, which contains an important bugfix for anyone using PuTTY with serial ports. I used to use TeraTerm when fiddling with console cables, but it supports only com-ports 1-4. This is unfortunate because the new USB-serial-adapters like to map themselves to higher com-ports (usually 6) by default. Naturally you can change this, but it's just too much of a hassle. With PuTTY, you can use the higher numbers with ease.
Unfortunately, Barry Haanstra has stopped the development of PuTTY Tray, so there is no version 0.61 at haanstra.eu. This is a pity as that site is unsurprisingly the first hit when you Google "PuTTY Tray". However, Cris West is now maintaining PuTTY Tray at http://puttytray.goeswhere.com/. I don't know if this move is official, but at least it's not mentioned at haanstra.eu. Also, puttytray.goeswhere.com doesn't appear as a direct link within the first 10 Google result pages for "PuTTY Tray" (it's there on the first page, but that's a blog entry). In any case, the version of mr. West appears to be working just fine, so I'll just document the URL here. Hopefully it will appear on the Google results someday.
Interestingly, someone has just tried to DoS (perform a Denial of Service -attack) this server. As far as I know, this was the first time my Internet presence has come under a real attack. Everything before this has been normal backgroung noise.
The attack itself was pretty lame. Just a single host (so this wasn't a distributed DoS) in France pushing out 100mbit/s worth of tiny UDP-packets and it lasted for less than 20 minutes. You can see the packet rate from the attached graph.
Here's what our netflow-analyzer had to say about the attack:
Date Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2009-10-07 11:16:11 UDP 188.8.131.52:0 -> 184.108.40.206:0 7.0 M 9.3 G 176
In other words, 220.127.116.11 (ns38798.ovh.net) sent me 7 million UDP packets.
And what about the effects of the attack? The websites were a bit sluggish, as the link was saturated, but other than that I didn't notice anything else worth mentioning.
I've been using my new smartphone, the HTC Touch Pro 2, for a week now and I'd like to present some thoughts and obervations about it. This post is not intended to be a full-blown review and therefore some knowledge on the Windows Mobile 6 platform is assumed from the readers. It also helps if you are familiar with the latest TouchFLO™ 3D interface. If you haven't actually used the Touch Pro 2 yourself, I suggest watching some video reviews from Youtube before reading this post.
Yesterday (April 23rd), just after 18:00 Finnish time, I noticed a few reports on IRC channels regarding a large increase in the amout of spam. I then checked the statistics of our customer spamfilter (I work for an ISP, remember?), and sure enough, a flood of spam was coming in. In a matter of minutes, the amout of spam had increased by a factor of 4 with spikes going twice as high. To give you an idea of the figures, the number of emails blocked on average was about 2,5 times as much as it was just before McColo was blocked from the internet. Five hours later the flood came to a sudden halt. It stopped just as abruptly as it begun.
We didn't look that closely on what was the content of these messages, but apparently most of them were faked Western Union recruitment emails. They were aimed at Europe, so that might explain why SpamCop didn't see any increase in spam volume. I haven't found as detailed realtime statistics on other sources, so I can't really say how widespread this incident was outside Finland. Also, I haven't seen any reports of it on the NANOG mailinglist, so quite likely it's been a usual day on the other side of the Atlantic.
The day before yesterday, Marshal8e6 released a report on their botnet analysis, including some numbers on spambot capabilities. So just a day after a botnet research lab reports on their spambot findings, we see a sudden shitstorm hitting our filters. Coincidence? I don't think so.
It's nothing new that there are several botnets scouring the Internet for poorly protected SSH servers. Their members are mostly compromized hosts, such as home computers hijacked with trojans and worms. Some "real" servers end up on these botnets as well. Sometimes hired for the purpose, sometimes cracked by the same backdoors as the home computers, or simply compromized via the services they run, usually vulnerable dynamic websites.
These botnets scan vast IP-address ranges trying to find hosts which are running SSH server software on the default port (tcp 22). When they find one, they start trying to log in using brute force. Usually the method of choice is to login as root and use a dictionary for guessing the password. Sometimes they try to login as other users, such as test, staff or use someones first name as the login.
|<< <||> >>|