Distributed SSH attack
krad
kraduk at googlemail.com
Fri Apr 16 09:18:11 UTC 2010
On 16 April 2010 09:39, David Xu <davidxu at freebsd.org> wrote:
> Jeremy Lea wrote:
>
>> Hi,
>>
>> This is off topic to this list, but I dont want to subscribe to -chat
>> just to post there... Someone is currently running a distributed SSH
>> attack against one of my boxes - one attempted login for root every
>> minute or so for the last 48 hours. They wont get anywhere, since the
>> box in question has no root password, and doesn't allow root logins via
>> SSH anyway...
>>
>> But I was wondering if there were any security researchers out there
>> that might be interested in the +-800 IPs I've collected from the
>> botnet? The resolvable hostnames mostly appear to be in Eastern Europe
>> and South America - I haven't spotted any that might be 'findable' to
>> get the botnet software.
>>
>> I could switch out the machine for a honeypot in a VM or a jail, by
>> moving the host to a new IP, and if you can think of a way of allowing
>> the next login to succeed with any password, then you could try to see
>> what they delivered... But I don't have a lot of time to help.
>>
>> Regards,
>> -Jeremy
>>
>>
> Try to change SSH port to something other than default port 22,
> I always did this for my machines, e.g, change them to 13579 :-)
>
> Regards,
> David Xu
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
dont allow password auth, tcp wrap it, and acl it with pf. Probably more
stuff you can do. Think onions
More information about the freebsd-hackers
mailing list