Educause Security Discussion mailing list archives

Re: Ongoing distributed Linux SSH dictionary attack

From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Thu, 16 Apr 2009 19:22:47 -0500

Pete Hickey wrote:

On Thu, Apr 16, 2009 at 04:15:00PM -0700, Andrew Daviel wrote:

FYI

We are seeing a distributed-source SSH dictionary attack on multiple
machines. The sources appear to be running Linux according to P0F. This
blows past our "15 strikes sitewide and you are out" filter.


We're seeing a large increase of ssh dictionary attacks this week.  Although
it's coming from a number of different machines, I wouldn't call it a large
enough number to consider it a distributed attack.

We've been seeing this pretty consistently for about 10 days although
the rate has fluctuated some.  I've seen about 1400 different source
addresses here.

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)