Monday, 5 September 2016

Distributed password guessing

Something new. Well, new to me, and I couldn't find mention of it with Google.

I noticed that there were a *lot* of password guessing attempts, all to the same place, but from a lot of different places. Someone is using a botnet, feeding it with a huge list of possible username/password pairs, and trying to guess passwords.

That's actually a very efficient way to guess passwords. Never mind about "password", "letmein" and "123456". Never mind about rainbow tables. A very likely password for someone to use, is a password they used elsewhere. I imagine there's tons of free sites that ask you to sign up for kitten videos (so cute!) and choose a username and password. And they're harvesting these for password guessing attempts.

I already have a thing that blocks password guessing attempts, but it assumed that they came from the same IP address, which used to be the case.

So I wrote a little perl program that reads my log file and outputs a list of IP addresses that have been doing this. It turns out there's 152 of them, and I blocked them all using iptables. It's all automated now. My log files will be less full.


  1. all I can say to this is to link to the following XKCD:

  2. Yes, password guessing from a harvested list is old stuff. But this is being done from a botnet of several hundred computers.