Educause Security Discussion mailing list archives

Re: Ongoing distributed Linux SSH dictionary attack

From: Michael Horne <Michael.Horne () OLIN EDU>
Date: Fri, 17 Apr 2009 09:05:08 -0400

We have been seeing that type of attack for some time now and decided to implement an older program called SSHDFilter. 

I believe this is the one we are using currently.

http://www.csc.liv.ac.uk/~greg/sshdfilter/ 

Works with SSHD and after X number of failed attempts it drops the source IP address into a drop list in IPtables, then 
clears them out after a set time period to not clutter up the Iptables rules.


Your mileage may vary but it has worked well for us for some time now.

May take some tweaking for your environment.



Michael Horne
Network Engineer
Franklin W Olin College of Engineering
Olin Way Needham MA 02492
Phone  1-781-292-2438



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew 
Daviel
Sent: Friday, April 17, 2009 4:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Ongoing distributed Linux SSH dictionary attack

On Thu, 16 Apr 2009, Pete Hickey wrote:

We're seeing a large increase of ssh dictionary attacks this week.  Although
it's coming from a number of different machines, I wouldn't call it a large
enough number to consider it a distributed attack.


Semantics :-)  Surely "distributed", but not "massively distributed".
We see about 480 attacking one machine. Most of them are listed in
http://danger.rulez.sk/projects/bruteforceblocker/blist.php

I managed to talk to an admin at one of the attacking hosts. He'd found 
an IRC-controlled scan tool that was installed via a vulnerability in the 
"roundcube" webmail program. So it's not a worm as I had conjectured 
(using it's own exploit to spread exponentially), just someone targetting 
us with a smallish botnet.

Most of the SSH attacks I've seen have come from a single machine, and 
try some 100 passwords for "root". This one seems to be trying hundreds 
of different usernames - about 900 in A and B so far, with perhaps 10 
guesses each.

The scanner found at the one site is a thing called "dt_ssh5", which 
downloads target addresses from port 44321 on a configured server


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)