All of this probing is what Cheswick & Bellovin called knob-twisting. Back when they wrote the first edition of Firewalls and Internet Security2 attackers were humans trolling for easy targets. Today they're attack scripts executed by humans trolling for easy targets. They don't represent a concerted all-out attempt to crack the servers, but merely twisting the servers' electronic door knobs to see if any of them are unlocked.
In the month to now, alpha has gotten 33 bogus ftp connection attempts (mere noise) and 2,210 bogus ssh (secure shell) connection attempts. The footprints of an attack script (and the same attack script, executed from several different hosts) are clearly evident in the log. The script tries a litany of common names hoping to find one where the account actually exists on the machine and there is no password assigned.3 Beta has like numbers in its logs, and one of the external hosts I administer at work tells a similar tale as well.
Following the rule "if it isn't turned on, it can't be attacked," alpha and beta don't run any un-needed processes. That's why the attacks appear to concentrate on ssh; there isn't much else to attack. The scriptkiddies running the attacks are looking for an account with no password, not trying some complicated buffer overflow. So, there are no footprints showing attacks on sendmail, or bind. And, a quick look through the web server (Apache) logs shows only a couple of attempted attacks (aimed at Microsoft's IIS). All good news, for now.
The boxes have only been online for about six weeks -- I expect that more serious challenges to their security will be forthcoming. In a sense, it's only a matter of time. Time until some script kiddy comes along with an attack script that is looking for some vulnerability that alpha and beta have that I have not yet patched. Depending on how serious the vulnerability is, the consequences could range from defacement of the web sites hosted on those boxes, to their being owned by someone exploiting a serious breach. Till then, we watch, we patch, and we wait.
1 Building Bastion Hosts With HP-UX 11, even though it's for HP-UX, is an excellent resource for learning the methods and mindset required to construct an iron-clad server.
2 While the first edition is dated, it's freely available on-line and is still an excellent (and short) read on how firewalls work and how attacks are made over the 'net.
3 One recent attack run tried "jordan, michael, nicole, daniel, andrew, magic, lion, david, jason, carmen, justin, charlie, steven, brandon, brian, stephen, william, angel, emily, eric, joe, tom, billy, buddy, jeremy, vampire, betty, max, nicholas, robin, johnny, lucy, maria, rose, mail, god, barbara, larisa, jane..." It ran through ninety names in all over the course of four minutes and fifty one seconds.
