Full Disclosure mailing list archives
Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Thu, 17 Jun 2010 11:23:26 -0400
Looks like what I'm seeing, most source IPs don't repeat, and they are sharing a dictionary. I have Denyhosts running and since last night 20:38 have only denied about 60 addresses. My denyhost config bans a host that misses twice! The attacks are from all around the world, I've seen reverse lookups from .fr .tw .jp .com .net everything .. I've attached an excerpt from my /var/log/messages and you can see that the attacks are not that fast and there is a surprisingly short list of denied hosts at the end of the file. I could change my denyhosts to deny IPs after only one fail, but then I risk locking myself out by accident. Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/17/2010 10:42 AM, Frank Bures wrote:
Gary Baribault wrote:I just knew that people would say that, and that's why I specified that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's interesting to see new types of attacks. The question here is whether anyone else is seeing such a targeted attack.I've seen an interesting SSH attack in the last couple of days on our /22 network. Instead of probing port 22 on many machines in the shortest possible time period as usual, this attack seems to be trying to be stealthy. It never attacks more than 4 machines in an hour and never twice from the same IP address. As all attacking addresses are subsequently blocked, I wonder how long is it going to take for the guy(s) to run out of available addresses at this rate :-) Cheers Frank
Attachment:
denyhosts.log
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: targetted SSH bruteforce attacks dink (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Benji (Jun 17)
- Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Benji (Jun 17)
- Re: targetted SSH bruteforce attacks Frank Bures (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- <Possible follow-ups>
- Re: targetted SSH bruteforce attacks dink (Jun 17)
- Re: targetted SSH bruteforce attacks Michael Holstein (Jun 17)
- Re: targetted SSH bruteforce attacks dink (Jun 17)
- Re: targetted SSH bruteforce attacks iRAQi BlackHat (Jun 17)
- Re: targetted SSH bruteforce attacks Bob Onformon (Jun 18)