Re: Reporting SSH abuse

[Chris Lyon <cslyon () gmail com>]

On Tue, Mar 9, 2010 at 1:26 PM, James Bensley <jwbensley () gmail com> wrote:
> I find in these situations, who is it you should actually tell? In the
> your case were the traffic is coming from a University I'm sure the
> Uni tech team would appreciated knowing but I have had it from some IP
> in Brazil, I never reported it because I couldn't think who would give
> a damn?

And to this point, it is probably a student with an infected laptop
running these attack for all we know. I just ran a report against all
our open SSH servers and we had over 20 unique hosts within the last 2
hours, mostly from China and Colombia just hammering away at our
infrastructure. Lucky we are using denyhosts and we don't allow the
use of passwords, key based only. We do rarely see the same host
again, even after they have been unblocked.

You might want to look at denyhost instead of Fail2ban, you can report
these up into a central server which is a little bit better for
management. FWIW.

You might also want to check this out too: http://www.sshbl.org/

and this

http://dogtown.mare-system.de/sshblacklist-signatures

There are snort rules for SSH brute force hosts, we also have our own
snort rules for SSH brute force attempts.

-Chris

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------