Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Wed, 23 Jun 2010 12:38:05 -0400

In this attack, there's no need to throttle, the attacking computers hit
it once every 15 seconds or so from many different sources. My denyhosts
is not blocking 99.999% of the attempts.

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/23/2010 12:33 PM, Cody Robertson wrote:
On 6/23/10 4:22 AM, yersinia wrote:
  
On Thu, Jun 17, 2010 at 4:21 PM, Samuel Martín Moro <faust64 () gmail com>wrote:

    
I also don't want to change my ssh port, nor restrict incoming IPs, ... and
I use keys only to log in without entering password.
So you're not alone.
I had my IP changed several times, my servers are only hosting personal
data.
But I'm still seeing bruteforce attemps in my logs.

Here's something I use on my servers.
In cron, every 5-10 minutes, that should do it.
Of course, if you're running *BSD, pf is way more interesting to do that.

Perhaps could be better to use something standard as fail2ban
      
http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/?




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    
If you have iptables it has ways you can do this throttle too many
connections within a specified period. I much prefer using something
such as this over third party software.

I'm sure you can do this in PF however I'm not familiar with it enough
to be certain (I'd be surprised if you couldn't however).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault