Security Incidents mailing list archives
Re: SSH probe attack afoot?
From: "j () 65535 com" <j () 65535 com>
Date: Tue, 08 Feb 2005 17:25:43 +0000
Stephen Warren wrote:
On 6 Feb 2005, at 15:09, Bernie Cosell wrote:We're now getting hammered with the third round of ssh probes in the lastfour days [one from CA, one from Brazil and one from Virginia]. I was wondering: is there some virus or the like floating around now that leaves an ssh-hammering zombie in its wake? Or is it just coincidental that we have gotten three floods?I got fed up with seeing this kind of thing in my logs. So, I switched SSH to a non-default port, and it all went away:-)Sometimes, security through obscurity is very useful. Now at least I have a small SSHD logfile, so I'll pay more attention to it if something shows up in it.Of course, depending on your user-base, you might have to spend a lot of time on user-education after this change.
I found that all these bruteforce ssh attacks used something called "libssh" and quite clearly identify themselves as libssh when they connect and handshake..
I made a simple little patch for sshd which detects certain client strings like this, and drops the connection.. It also logs legitimate connections, so i can still see the attempts but they have no chance of success, and syslog will cut them down to "last message repeated 50 times" etc..
Current thread:
- SSH probe attack afoot? Bernie Cosell (Feb 07)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)
- Re: SSH probe attack afoot? Steve Bonds (Feb 07)
- Re: SSH probe attack afoot? Steven Harrison (Feb 07)
- Re: SSH probe attack afoot? xyberpix (Feb 07)
- Re: SSH probe attack afoot? Stephen Warren (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 08)
- Re: SSH probe attack afoot? Stephen Warren (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 07)
- Re: SSH probe attack afoot? j lake (Feb 08)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 12)
- Re: SSH probe attack afoot? Stephen J. Smoogen (Feb 12)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- <Possible follow-ups>
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Tim (Feb 08)
- Re: SSH probe attack afoot? Frank Knobbe (Feb 08)
- Re: SSH probe attack afoot? Matt Fisher (Feb 09)
- Re: SSH probe attack afoot? naverxp (Feb 08)
(Thread continues...)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)