mailing list archives
Re: targetted SSH bruteforce attacks
From: Valdis.Kletnieks () vt edu
Date: Thu, 17 Jun 2010 10:15:15 -0400
On Thu, 17 Jun 2010 07:48:18 EDT, Gary Baribault said:
Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server once
an hour with attacking IPs, and obviously also download the public
These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box!
One of two things springs to mind:
1) when they scanned your address space looking for SSH hosts to try to
whack, your one host didn't report as a target for some random reason.
2) they're handling their list of targets in a pseudo-random order. We've
seen attacking IPs pound on 2 or 3 hosts in our /16 for a few days, then go
away, and 2-3 weeks later return to pound on other targets.
Bottom line: Either they didn't notice your other box, or they'll get around
to poking it in a few weeks...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/