Distributed SSH attack
jhell
jhell at DataIX.net
Fri Oct 2 23:47:46 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 2 Oct 2009 17:17 -0000, glarkin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeremy Lea wrote:
> > Hi,
> >
> > This is off topic to this list, but I dont want to subscribe to -chat
> > just to post there... Someone is currently running a distributed SSH
> > attack against one of my boxes - one attempted login for root every
> > minute or so for the last 48 hours. They wont get anywhere, since the
> > box in question has no root password, and doesn't allow root logins via
> > SSH anyway...
> >
> > But I was wondering if there were any security researchers out there
> > that might be interested in the +-800 IPs I've collected from the
> > botnet? The resolvable hostnames mostly appear to be in Eastern Europe
> > and South America - I haven't spotted any that might be 'findable' to
> > get the botnet software.
> >
> > I could switch out the machine for a honeypot in a VM or a jail, by
> > moving the host to a new IP, and if you can think of a way of allowing
> > the next login to succeed with any password, then you could try to see
> > what they delivered... But I don't have a lot of time to help.
> >
> > Regards,
> > -Jeremy
> >
>
> Hi Jeremy,
>
> You could set up DenyHosts and contribute to the pool of IPs that are
> attempting SSH logins on the Net:
> http://denyhosts.sourceforge.net/faq.html#4_0
>
> It also looks like there's been quite a spike of SSH login activity
> recently: http://stats.denyhosts.net/stats.html
>
> Hope that helps,
> Greg
> - --
> Greg Larkin
>
> http://www.FreeBSD.org/ - The Power To Serve
> http://www.sourcehosting.net/ - Ready. Set. Code.
> http://twitter.com/sourcehosting/ - Follow me, follow you
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iD8DBQFKxm4H0sRouByUApARAtnPAKCQuivQdE1s0ZZnUO6qVWA87N8ZKgCgjyYD
> Tbv+hWI+KoXYsEpt0n4gW5k=
> =xCz7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
Another temporary to long term solution might be the following utilities,
ports/security/sshguard-pf ports/security/expiretable
This is more of a pf based solution so that's up to your policies and decision.
Giving thanks to the post about DenyHosts I didn't know that existed till this
point.
Best regards.
- --
%{----------------------------------------------------+
| dataix.net!jhell 2048R/89D8547E 2009-09-30 |
| BSD since FreeBSD 4.2 Linux since Slackware 2.1 |
| 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E |
+----------------------------------------------------%}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
iQEcBAEBAgAGBQJKxoxtAAoJEJBXh4mJ2FR+BLQIAIm4nAh8TinDB/QOI6RX2xxO
CSv46ZxoRlr2uv3FF5LmIVhPt0tskSrO+WLP0Xjm2ORB05tiFRpbzMBRawH41J1p
0USI90j+y9UzXinGRX9vt3GAofRkfuQuXXMUMAwTCZY1+EyzOP/K0dfRTSTj24LH
386epgCU3FA8S9UqKSPSdpQNxf+Yq/urd6ykfOTtcMUh/m2bakYIgwtVb4zOe+34
lpTlsXxuPcv9WtcOkqkj8LhZgFYKTRajfiw/G8cCnHqlaKuSDSH1hPEu7ePUAC5o
wj6TZWh186astBg2WtfIke5zKKQz2ELyT5a3GvhWxR4/l9QWN5F0ZX7TuzaWK1M=
=vtNQ
-----END PGP SIGNATURE-----
More information about the freebsd-hackers
mailing list