The list of IPs from China (& Indonesia, etc) - that most are seeing on their page - making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service. Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts.<p>As anyone who's put an EC2 up without securing it knows, an automated SSH attempt at 'root' will be made within a few hours of it coming online.
A reply from Zach Holman on twitter confirms that it's an automated attack that they are currently working on mitigating: <a href="https://twitter.com/holman/status/402720736650874880" rel="nofollow">https://twitter.com/holman/status/402720736650874880</a>
I would strongly suggest people enable two factor authentication:
<a href="https://github.com/settings/two_factor_authentication/configure" rel="nofollow">https://github.com/settings/two_factor_authentication/config...</a>
I just checked my account's security history, and there's been a failed login attempt every 7 hours for the past two days, all from different IP addresses.<p>It reminds me of the "Hail Mary Cloud" posted previously on HN - <a href="http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html" rel="nofollow">http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-le...</a>
Very strange; I just checked my security history and see that there have been 5 unsuccessful login attempts from China/Venezuela to my account (last 14 hours).
Everything before that is pretty clean and without fake logins.<p>Does anyone have more information on this?
I don't get it... this is my own security page which looks normal to me.<p>[edit] I see one failed login attempt from a chinese IP like other people are saying. Maybe that is what OP meant to point out?
user.failed_login: Originated from <a href="http://ipinfo.io/190.203.225.87" rel="nofollow">http://ipinfo.io/190.203.225.87</a> 12 hours ago<p>user.failed_login: Originated from <a href="http://ipinfo.io/186.88.197.206" rel="nofollow">http://ipinfo.io/186.88.197.206</a> 18 hours ago<p>user.failed_login: Originated from <a href="http://ipinfo.io/182.253.48.4" rel="nofollow">http://ipinfo.io/182.253.48.4</a> a day ago<p>user.failed_login: Originated from <a href="http://ipinfo.io/94.134.190.4" rel="nofollow">http://ipinfo.io/94.134.190.4</a> a day ago<p>user.failed_login: Originated from <a href="http://ipinfo.io/186.94.244.213" rel="nofollow">http://ipinfo.io/186.94.244.213</a> 2 days ago<p>user.failed_login: Originated from <a href="http://ipinfo.io/109.122.92.52" rel="nofollow">http://ipinfo.io/109.122.92.52</a> 2 days ago
Not sure if it's related to what the OP meant, but I can see 5 failed login attempts from different IP addresses over the past 48 hours (and pretty much none before that).
Why does this page mean GitHub is experiencing security issues?<p>I didn't know this page existed. Its pretty handy, though I don't like how it shows failed logins. 6 attempts in the past 24 hours unnerves me. Probably trying my email and my use-all password from vBulletin or one of the numerous other sites which have been broken into.
It's showing a page of security history. That doesn't mean there is a problem with security.
It's just for the curious ones, or the paranoid ones, or those that surf around on suspicious networks or committed something last night and can't remember it at all.<p>It's just a reality check.<p># my $0.02
Hmm, 13 failed attempts for me as well. Glad I have the "Two-factor authentication" On just in case.<p><a href="https://github.com/blog/1614-two-factor-authentication" rel="nofollow">https://github.com/blog/1614-two-factor-authentication</a>
Same here<p><pre><code> 6 hours ago user.failed_login: Originated from 190.237.42.139
12 hours ago user.failed_login: Originated from 186.91.131.199
16 hours ago user.failed_login: Originated from 91.226.79.82
a day ago user.failed_login: Originated from 184.22.105.99
a day ago user.failed_login: Originated from 190.205.97.211
2 days ago user.failed_login: Originated from 189.43.19.210</code></pre>
Looks like some of the IPs are proxies: <a href="http://webcache.googleusercontent.com/search?q=cache:HIFaDGufvkcJ:venezuela-proxy.blogspot.com/2013/11/live-proxy-list-on-november04-2013.html&client=firefox-a&hl=en&gl=us&strip=1" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:HIFaDGu...</a>
Strangely, I use a unique email for github, like I do with most sites that allow attaching "+comment" to the localpart of email addresses. Are attackers really this sophisticated, or where did they get the list?<p>Edit: Nevermind, I guess github allows authenticating with a username, in addition to the email.
I count five failed attempts within two days (190.39.254.6, 201.209.39.192, 85.152.192.118 ,186.88.197.41, 190.200.20.207). Good to know the password -that I almost manage to forget- is strong enough.
Here are my logs from the last two days:<p>user.failed_login<p>actor_ip 186.93.156.104<p>created_at 2013-11-18 14:45:30<p>---<p>user.failed_login<p>actor_ip 180.183.84.109<p>created_at 2013-11-18 06:05:01<p>---<p>user.failed_login<p>actor_ip 41.79.65.109<p>created_at 2013-11-17 12:55:31<p>---<p>user.failed_login<p>actor_ip 186.93.79.118<p>created_at 2013-11-17 12:40:34