Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Thu, 17 Jun 2010 08:44:39 -0400

I just knew that people would say that, and that's why I specified
that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
interesting to see new types of attacks. The question here is whether
anyone else is seeing such a targeted attack.

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 08:28 AM, dink () mrhinkydink com wrote:

Have you ever considered obfuscated-openssh?

http://github.com/brl/obfuscated-openssh

I have a modified version of PuTTY available for it...

http://www.mrhinkydink.com/potty.htm

Still... you should change the freakin' port.

-------- Original Message -------- Subject: [Full-disclosure]
targetted SSH bruteforce attacks From: Gary Baribault
<gary () baribault net> Date: Thu, June 17, 2010 7:48 am To:
full-disclosure () lists grok org uk

Hello list,

I have a strange situation and would like information from the list
members. I have three Linux boxes exposed to the Internet. Two of
them are on cable modems, and both have two services that are
publicly available. In both cases, I have SSH and named running and
available to the public. Before you folks say it, yes I run SSH on
TCP/22 and no I don't want to move it to another port, and no I
don't want to restrict it to certain source IPs.

Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server
once an hour with attacking IPs, and obviously also download the
public hosts.deny list.

These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box! The named daemon is non recursive, properly
configured, up to date and not being attacked.

Is anyone else seeing this type of attack? Or is someone really
targeting MY box?

Thanks


Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault