Educause Security Discussion mailing list archives
Re: Ongoing distributed Linux SSH dictionary attack
From: Michael Horne <Michael.Horne () OLIN EDU>
Date: Fri, 17 Apr 2009 09:05:08 -0400
We have been seeing that type of attack for some time now and decided to implement an older program called SSHDFilter. I believe this is the one we are using currently. http://www.csc.liv.ac.uk/~greg/sshdfilter/ Works with SSHD and after X number of failed attempts it drops the source IP address into a drop list in IPtables, then clears them out after a set time period to not clutter up the Iptables rules. Your mileage may vary but it has worked well for us for some time now. May take some tweaking for your environment. Michael Horne Network Engineer Franklin W Olin College of Engineering Olin Way Needham MA 02492 Phone 1-781-292-2438 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Daviel Sent: Friday, April 17, 2009 4:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Ongoing distributed Linux SSH dictionary attack On Thu, 16 Apr 2009, Pete Hickey wrote:
We're seeing a large increase of ssh dictionary attacks this week. Although it's coming from a number of different machines, I wouldn't call it a large enough number to consider it a distributed attack.
Semantics :-) Surely "distributed", but not "massively distributed". We see about 480 attacking one machine. Most of them are listed in http://danger.rulez.sk/projects/bruteforceblocker/blist.php I managed to talk to an admin at one of the attacking hosts. He'd found an IRC-controlled scan tool that was installed via a vulnerability in the "roundcube" webmail program. So it's not a worm as I had conjectured (using it's own exploit to spread exponentially), just someone targetting us with a smallish botnet. Most of the SSH attacks I've seen have come from a single machine, and try some 100 passwords for "root". This one seems to be trying hundreds of different usernames - about 900 in A and B so far, with perhaps 10 guesses each. The scanner found at the one site is a thing called "dt_ssh5", which downloads target addresses from port 44321 on a configured server -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)