Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks
From: Valdis.Kletnieks () vt edu
Date: Thu, 17 Jun 2010 10:15:15 -0400

On Thu, 17 Jun 2010 07:48:18 EDT, Gary Baribault said:

    Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server once
an hour with attacking IPs, and obviously also download the public
hosts.deny list.

    These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box!

One of two things springs to mind:

1) when they scanned your address space looking for SSH hosts to try to
whack, your one host didn't report as a target for some random reason.

2) they're handling their list of targets in a pseudo-random order.  We've
seen attacking IPs pound on 2 or 3 hosts in our /16 for a few days, then go
away, and 2-3 weeks later return to pound on other targets.

Bottom line: Either they didn't notice your other box, or they'll get around
to poking it in a few weeks...

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]