Educause Security Discussion mailing list archives
Re: Ongoing distributed Linux SSH dictionary attack
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Sat, 18 Apr 2009 05:44:00 +1200
On 18/04/2009, at 1:05 AM, Michael Horne wrote:
We have been seeing that type of attack for some time now and decided to implement an older program called SSHDFilter. I believe this is the one we are using currently. http://www.csc.liv.ac.uk/~greg/sshdfilter/ Works with SSHD and after X number of failed attempts it drops the source IP address into a drop list in IPtables, then clears them out after a set time period to not clutter up the Iptables rules. Your mileage may vary but it has worked well for us for some time now. May take some tweaking for your environment.
I have been encouraging folk here to use such tools for a long time however for the current attacks we have been seeing over the last 10 days or so with lots sources we are not seeing anywhere near as many probes per source. Some times as few as 10 but there are order of 500 systems hitting us over a period of a few hours. I suspect this technique is specifically designed to defeat such tools. Russell
Current thread:
- Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)