Re: SSH probe attack afoot?

["j () 65535 com" <j () 65535 com>]

Stephen Warren wrote:
> > On 6 Feb 2005, at 15:09, Bernie Cosell wrote:
> >
> > > We're now getting hammered with the third round of ssh probes in the 
> > > last
> > > four days [one from CA, one from Brazil and one from Virginia].  I was
> > > wondering: is there some virus or the like floating around now that
> > > leaves an ssh-hammering zombie in its wake?  Or is it just coincidental
> > > that we have gotten three floods?
>
>
> I got fed up with seeing this kind of thing in my logs.
>
> So, I switched SSH to a non-default port, and it all went away:-)
>
> Sometimes, security through obscurity is very useful. Now at least I 
> have a small SSHD logfile, so I'll pay more attention to it if something 
> shows up in it.
>
> Of course, depending on your user-base, you might have to spend a lot of 
> time on user-education after this change.

I found that all these bruteforce ssh attacks used something called 
"libssh" and quite clearly identify themselves as libssh when they 
connect and handshake..

I made a simple little patch for sshd which detects certain client 
strings like this, and drops the connection.. It also logs legitimate 
connections, so i can still see the attempts but they have no chance of 
success, and syslog will cut them down to "last message repeated 50 
times" etc..