Re: Brute force attacks

[krymson () gmail com]

Welcome to the Internet! :)

Seriously, my open SSH ports get minimal brute force attacks daily, typically anywhere from 2 attempts to a couple 
thousand. Watch these long enough and you can see that while they come randomly and from different IPs, the same 
battery of username/password combinations tend to get used.

In other words, you may be experiencing normal random junk from automated scanning systems from the Internet. 

And there is not much you can do about it.

You could block their IPs on your border, but be careful what you block in case you have business that comes from there.

My best practice is to just be aware of it and block if it starts to impact services/bandwidth or just block if you 
know you can safely do that. Keep those services hardened and accounts safely limited and protected with complex, 
regularly rotated passwords.


<- snip ->
Hi List,

I've been experiencing brute force dictionary attacks from various
sources against my gateway. The attacker is trying all kinds of
username/password combinations to get in.

I have traced the source IP addresses on internet authorities such as
Ripe, Arin & Apnic; the feedback I get is that "Country is really world
wide". I then traced the IPs using visual route, and saw that their
locations vary widely; some of them are in the US, some in China, others
in Poland...

What are my options in such a case? Have you ever experienced such a
behavior? And what are the best practices that apply?

Thank you,

-Mohamad.