Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks
From: Emmanuel VERCHERE <emmanuel.verchere () gmail com>
Date: Thu, 17 Jun 2010 14:45:06 +0200

Hi Gary,

SSH daemons using password auth exposed to the Internet _do_ get
bruteforce attempts. I would not recommend moving it to a different port
than 22 as that would be of very, _very_ little help - rather switch to
public key auth (plus SPA if you're paranoid), et voila.
I don't think there's someone out there craving for _your_ box - but
scripts running from compromised hosts, scanning for password-protected
SSH daemons (as well as a bunch of known exploitable webapps and
services), trying to reach out for 'fresh meat', and as such expand the
zombie net? Definitely ;)

Cheers.
 


On Thu, 17 Jun 2010 07:48:18 -0400
Gary Baribault <gary () baribault net> wrote:

Hello list,

    I have a strange situation and would like information from the
list members. I have three Linux boxes exposed to the Internet. Two of
them are on cable modems, and both have two services that are publicly
available. In both cases, I have SSH and named running and available
to the public. Before you folks say it, yes I run SSH on TCP/22 and no
I don't want to move it to another port, and no I don't want to
restrict it to certain source IPs.

    Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server once
an hour with attacking IPs, and obviously also download the public
hosts.deny list.

    These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box! The named daemon is non recursive, properly
configured, up to date and not being attacked.

    Is anyone else seeing this type of attack? Or is someone really
targeting MY box?

Thanks


Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-- 
__________________________________________________________
                     Emmanuel VERCHERE
            everchere <at> everchere <dot> com
       http://everchere.com/emmanuel.verchere.asc
   CF41 68A4 5C7F 6598 8F08  D04D BD55 EBD1 71E1 1339

Attachment: signature.asc
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]