mailing list archives
Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Thu, 17 Jun 2010 11:23:26 -0400
Looks like what I'm seeing, most source IPs don't repeat, and they are
sharing a dictionary. I have Denyhosts running and since last night
20:38 have only denied about 60 addresses. My denyhost config bans a
host that misses twice!
The attacks are from all around the world, I've seen reverse lookups
from .fr .tw .jp .com .net everything ..
I've attached an excerpt from my /var/log/messages and you can see
that the attacks are not that fast and there is a surprisingly short
list of denied hosts at the end of the file. I could change my
denyhosts to deny IPs after only one fail, but then I risk locking
myself out by accident.
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
On 06/17/2010 10:42 AM, Frank Bures wrote:
Gary Baribault wrote:
I just knew that people would say that, and that's why I specified
that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
interesting to see new types of attacks. The question here is whether
anyone else is seeing such a targeted attack.
I've seen an interesting SSH attack in the last couple of days on our /22
network. Instead of probing port 22 on many machines in the shortest
possible time period as usual, this attack seems to be trying to be
stealthy. It never attacks more than 4 machines in an hour and never twice
from the same IP address. As all attacking addresses are subsequently
blocked, I wonder how long is it going to take for the guy(s) to run out of
available addresses at this rate :-)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/