Security Incidents: Re: Distributed Bruteforce against SSH

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Distributed Bruteforce against SSH

From: "Tim Kennedy" <tim () timkennedy net>
Date: Mon, 12 May 2008 15:53:56 -0400

On Mon, May 12, 2008 at 2:01 PM, Keith T. Morgan
<keith.morgan () terradon com> wrote:

I wanted to follow up on this after putting a little more thought into it.  Honestly, I'm quite impressed by the 
intelligence the botnet is exhibiting.  Based on the testing I've done, it's clear that the entire botnet is 
collectively sharing its position in the dictionary on a per-target basis.  Fairly slick, IMO.


Agreed.

If you're concerned, start requiring ssh-keys for authentication.  If
you use RedHat (or derivatives thereof) and have the pam_succeed_if
PAM module available, you can at the very least make sure that any
non-authorized user accounts (even if they actually exist, and have a
password) can't log in via ssh.    Like users who only get email
privileges, or who only have ftp privs to update a website.

Mitigation is the name of the game, since the botnets tend to span
large areas of the IP space, blocking entire networks risks making
your servers/services unusable.

-Tim

By Date By Thread

Current thread:

Distributed Bruteforce against SSH Gary Baribault (May 12)
- RE: Distributed Bruteforce against SSH Keith T. Morgan (May 12)
- RE: Distributed Bruteforce against SSH Keith T. Morgan (May 12)
  - Re: Distributed Bruteforce against SSH Tim Kennedy (May 12)
- Message not available
  - Re: Distributed Bruteforce against SSH Gary Baribault (May 12)