Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Thu, 17 Jun 2010 08:47:00 -0400

My Denyhosts daemon is configured pretty much like that, but it uses
TCP Wrapper (hosts.deny) instead of the firewall and it uploads the
attacking IPs to a central server every hour for other Denyhosts users.

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 06/17/2010 08:32 AM, Gregory Bellier wrote:
Hi !

Most of the time (to not say everytime), it's a bot and not a human
behind those attacks.
I configured my firewall to ban for a minute every IPs trying to log
in with 5 wrong attempts.
Once it's banned, the bot tries one or two more times and then give up.

It's pretty much effective.



2010/6/17 Gary Baribault <gary () baribault net
<mailto:gary () baribault net>>

    Hello list,

       I have a strange situation and would like information from the
    list members. I have three Linux boxes exposed to the Internet.
    Two of
    them are on cable modems, and both have two services that are
    publicly
    available. In both cases, I have SSH and named running and available
    to the public. Before you folks say it, yes I run SSH on TCP/22
    and no
    I don't want to move it to another port, and no I don't want to
    restrict it to certain source IPs.

       Both of these systems are within one /21 and get attacked
    regularly. I run Denyhosts on them, and update the central
    server once
    an hour with attacking IPs, and obviously also download the public
    hosts.deny list.

       These machines get hit regularly, so often that I don't really
    care, it's fun to make the script kiddies waste their time! But in
    this instance, only my home box is being attacked... someone is
    burning a lot of cycles and hosts to do a distributed dictionary
    attack on my one box! The named daemon is non recursive, properly
    configured, up to date and not being attacked.

       Is anyone else seeing this type of attack? Or is someone really
    targeting MY box?

    Thanks


    Gary Baribault
    Courriel: gary () baribault net <mailto:gary () baribault net>
    GPG Key: 0x685430d1
    Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]