Distributed SSH attack

Greg Larkin glarkin at FreeBSD.org
Fri Oct 2 21:38:15 UTC 2009

Hash: SHA1

Jeremy Lea wrote:
> Hi,
> This is off topic to this list, but I dont want to subscribe to -chat
> just to post there...  Someone is currently running a distributed SSH
> attack against one of my boxes - one attempted login for root every
> minute or so for the last 48 hours.  They wont get anywhere, since the
> box in question has no root password, and doesn't allow root logins via
> SSH anyway...
> But I was wondering if there were any security researchers out there
> that might be interested in the +-800 IPs I've collected from the
> botnet?  The resolvable hostnames mostly appear to be in Eastern Europe
> and South America - I haven't spotted any that might be 'findable' to
> get the botnet software.
> I could switch out the machine for a honeypot in a VM or a jail, by
> moving the host to a new IP, and if you can think of a way of allowing
> the next login to succeed with any password, then you could try to see
> what they delivered...  But I don't have a lot of time to help.
> Regards,
>   -Jeremy

Hi Jeremy,

You could set up DenyHosts and contribute to the pool of IPs that are
attempting SSH logins on the Net:

It also looks like there's been quite a spike of SSH login activity
recently: http://stats.denyhosts.net/stats.html

Hope that helps,
- --
Greg Larkin

http://www.FreeBSD.org/           - The Power To Serve
http://www.sourcehosting.net/     - Ready. Set. Code.
http://twitter.com/sourcehosting/ - Follow me, follow you
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the freebsd-hackers mailing list