Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Any update on SSH brute force attempts?
From: Jay Libove <libove () felines org>
Date: Sun, 24 Oct 2004 18:11:04 -0400 (EDT)


Hi Miriam -

I have not attempted any type of automated blocking, as the attack profile
appears to not present a threat to systems with reasonably good passwords.
(I'm being a little lax about this, I realize).

What I have seen, in terms of the sources, intensity, and frequency of the
attempts, matches what you reported - where the attempts come from varies
every time, the number of different accounts that each attempt goes after
varies greatly, and while I may see attempts from two different source IP
addresses on one night, it may then be several days before I see any other
attempts at all.

I therefore agree that it does not appear to be any kind of widespread
worm/virus, but instead manually launched.  I guess that the targeting
(what IP address[es] the attempts are made against) is random.

Thanks
-Jay

Message: 17
Date: Sun, 24 Oct 2004 09:43:17 +0800
From: Miriam Chan <miriamchan () geocities com>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Any update on SSH brute force attempts?

Jay Libove wrote:
Recently, a couple of times a week, I see repeats of this which now have
as many as fifty different accounts being attacked.  (Almost none of which
exist on my server, and none of which will have common passwords
thankyouverymuch).

By the way, I started to suspect that the attacks were intentional (not just
some games by some script kiddies.) I had some servers accepting SSH
connections from anywhere (this is for easy access, and I know it is not
a very good idea.)

Before I set up a Portsentry-like mechanism to block the bad hosts, I got at
least 5-6 attempts per day. Afterward, I got nearly none (just some 1-2
attempts a day.) The change looks simply too much for me. If I got some
number of attacks a day, I would expect the same number of attacks the next
day if the attackes were automatically done by some virus/worms. I wished that
it was done by some virus, because (I think) a virus is not more malicious
than a planned cracking behaviour.

Do anyone have the same observations as me ? It should be great if you saw
it and shared your ideas.

Miriam.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault