Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Any update on SSH brute force attempts?
From: Miriam Chan <miriamchan () geocities com>
Date: Sun, 24 Oct 2004 09:43:17 +0800

Jay Libove wrote:
Recently, a couple of times a week, I see repeats of this which now have
as many as fifty different accounts being attacked.  (Almost none of which
exist on my server, and none of which will have common passwords

By the way, I started to suspect that the attacks were intentional (not just
some games by some script kiddies.) I had some servers accepting SSH
connections from anywhere (this is for easy access, and I know it is not
a very good idea.)

Before I set up a Portsentry-like mechanism to block the bad hosts, I got at
least 5-6 attempts per day. Afterward, I got nearly none (just some 1-2
attempts a day.) The change looks simply too much for me. If I got some
number of attacks a day, I would expect the same number of attacks the next
day if the attackes were automatically done by some virus/worms. I wished that
it was done by some virus, because (I think) a virus is not more malicious
than a planned cracking behaviour.

Do anyone have the same observations as me ? It should be great if you saw
it and shared your ideas.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]