Full Disclosure mailing list archives
Re: targetted SSH bruteforce attacks
From: Cody Robertson <cody () hawkhost com>
Date: Wed, 23 Jun 2010 12:51:41 -0400
On 6/23/10 12:38 PM, Gary Baribault wrote:
In this attack, there's no need to throttle, the attacking computers hit it once every 15 seconds or so from many different sources. My denyhosts is not blocking 99.999% of the attempts. Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/23/2010 12:33 PM, Cody Robertson wrote:On 6/23/10 4:22 AM, yersinia wrote:On Thu, Jun 17, 2010 at 4:21 PM, Samuel Martín Moro <faust64 () gmail com>wrote:I also don't want to change my ssh port, nor restrict incoming IPs, ... and I use keys only to log in without entering password. So you're not alone. I had my IP changed several times, my servers are only hosting personal data. But I'm still seeing bruteforce attemps in my logs. Here's something I use on my servers. In cron, every 5-10 minutes, that should do it. Of course, if you're running *BSD, pf is way more interesting to do that. Perhaps could be better to use something standard as fail2banhttp://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/If you have iptables it has ways you can do this throttle too many connections within a specified period. I much prefer using something such as this over third party software. I'm sure you can do this in PF however I'm not familiar with it enough to be certain (I'd be surprised if you couldn't however). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
It tends to vary for my machines however it still catches quite a bit of throttling. Regardless it was just a recommendation to avoid using third party software for something so trivial. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: targetted SSH bruteforce attacks, (continued)
- Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 17)
- Re: targetted SSH bruteforce attacks Michael Holstein (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Bipin Gautam (Jun 17)
- Re: targetted SSH bruteforce attacks Gregory Bellier (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Samuel Martín Moro (Jun 17)
- Re: targetted SSH bruteforce attacks yersinia (Jun 23)
- Re: targetted SSH bruteforce attacks Cody Robertson (Jun 23)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 23)
- Re: targetted SSH bruteforce attacks Cody Robertson (Jun 23)
- Re: targetted SSH bruteforce attacks Paul Schmehl (Jun 17)
- Re: targetted SSH bruteforce attacks John Jacobs (Jun 17)
- Re: targetted SSH bruteforce attacks Xin LI (Jun 17)
- Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 18)
- Re: targetted SSH bruteforce attacks Marsh Ray (Jun 21)
- Message not available
- Re: targetted SSH bruteforce attacks Marc Olive (Jun 22)
- Re: targetted SSH bruteforce attacks bugs (Jun 26)
- Re: targetted SSH bruteforce attacks Sebastian Rother (Jun 17)