Security Incidents mailing list archives
Re: Weird SSH attack last night and this morning (still ongoing)
From: Gary Baribault <gary () baribault net>
Date: Wed, 07 May 2008 17:07:24 -0400
Yeah, but I'm a masochist, I run these servers for the fun of it and to see what's happening on the net. I see all of the background static and every now and again I see somehting fun like this!
Gary Baribault Courriel: gary () baribault net GPG Key: 0x4346F013 GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013 Darren Bolding wrote:
And, not to pretend that it adds any great additional security to any sort of attack, but running sshd on a non-standard port reduces the number of scans/attacks I see dramatically- to the point that I actually rarely see any connection attempts from anyone other than authorized users. It's simple, fast and doesn't require any packages installed or anything.But that may not be an option for all user communities. --DOn Wed, May 7, 2008 at 10:53 AM, Erin Carroll <amoeba () amoebazone com <mailto:amoeba () amoebazone com>> wrote:Gary, I am seeing the exact same traffic pattern & attempts as of ~10:20pm PST: Single attempts to remote root ssh from disparate IP's with few (if any) repeated source location. So now we have a sample size of 2 :) When I saw this hitting my servers last night I thought it an odd attack pattern but surmised it was either a targeted slow attack with spoofed IP's or a "slow roll" botnet using throttled connects to try flying under the radar for alerting. I was leaning toward the latter and even more so now that I see my organization isn't the only one. Just block root ssh and apply a source IP whitelist for valid non-root allows if you require remote ssh for day to day. I consider it bad security practice to allow remote root ssh anyway. People should use user accounts and a sane sudoers config instead. -- Erin Carroll Moderator, SecurityFocus pen-test mailing list amoeba () amoebazone com <mailto:amoeba () amoebazone com> "Do Not Taunt Happy-Fun Ball" -----Original Message----- From: Gary Baribault [mailto:gary () baribault net <mailto:gary () baribault net>] Sent: Wednesday, May 07, 2008 5:27 AM To: incidents () securityfocus com <mailto:incidents () securityfocus com> Subject: Weird SSH attack last night and this morning (still ongoing) I don't know what is going on last night and this morning ... I have three Linux servers facing the Internet, two on cable modems and another on a static IP/commercial connection and this last one is a gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system. I have DenyHosts installed on all three and have blocked about 75 attempts .. from known compromised adresses .. The log shows (obviously) that there where even more attempts from adresses that are unknown to DenyHosts but there was only one login attemps per adress and it was with the Root account .. which is obviously blocked in my sshd config .. Of the three machines, one of them only had about 10 attempts, but the other two had about 200 attempts .. all of them with only 1 try with the user Root .. Is any one else seing this? or am I being targeted? This is still going on now .. and it started arround 10:00 last night GMT+4 -- Gary Baribault Courriel: gary () baribault net <mailto:gary () baribault net> GPG Key: 0x4346F013 GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013 -- -- Darren Bolding ---- darren () bolding org <mailto:darren () bolding org> --
Current thread:
- Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Blaine Fleming (May 07)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Bartholomew Mallio (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 14)
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 15)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 16)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 16)