Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Brute force attacks

From: "Scott Dickinson" <whip () netspace net au>
Date: Sat, 2 Jun 2007 14:40:53 +1000
Setting up port knocking can help reduce brute force attempts too. Anyone
who gets through port knocking should then have DenyHosts or similar to drop
some more off.

At the end of the day, denying direct root logon, and secure passwords are
the only real defence. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of krymson () gmail com
Sent: Friday, 1 June 2007 4:55 AM
To: security-basics () securityfocus com
Subject: Re: Brute force attacks

Welcome to the Internet! :)

Seriously, my open SSH ports get minimal brute force attacks daily,
typically anywhere from 2 attempts to a couple thousand. Watch these long
enough and you can see that while they come randomly and from different IPs,
the same battery of username/password combinations tend to get used.

In other words, you may be experiencing normal random junk from automated
scanning systems from the Internet. 

And there is not much you can do about it.

You could block their IPs on your border, but be careful what you block in
case you have business that comes from there.

My best practice is to just be aware of it and block if it starts to impact
services/bandwidth or just block if you know you can safely do that. Keep
those services hardened and accounts safely limited and protected with
complex, regularly rotated passwords.


<- snip ->
Hi List,

I've been experiencing brute force dictionary attacks from various sources
against my gateway. The attacker is trying all kinds of username/password
combinations to get in.

I have traced the source IP addresses on internet authorities such as Ripe,
Arin & Apnic; the feedback I get is that "Country is really world wide". I
then traced the IPs using visual route, and saw that their locations vary
widely; some of them are in the US, some in China, others in Poland...

What are my options in such a case? Have you ever experienced such a
behavior? And what are the best practices that apply?

Thank you,

-Mohamad.

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.4/825 - Release Date: 30/05/2007
3:03 PM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.6/828 - Release Date: 1/06/2007
11:22 AM
Previous By Date Next
Previous By Thread Next

Current thread: