Re: Ongoing distributed Linux SSH dictionary attack

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 18/04/2009, at 1:05 AM, Michael Horne wrote:

> We have been seeing that type of attack for some time now and
> decided to implement an older program called SSHDFilter.
>
> I believe this is the one we are using currently.
>
> http://www.csc.liv.ac.uk/~greg/sshdfilter/
>
> Works with SSHD and after X number of failed attempts it drops the
> source IP address into a drop list in IPtables, then clears them out
> after a set time period to not clutter up the Iptables rules.
>
>
> Your mileage may vary but it has worked well for us for some time now.
>
> May take some tweaking for your environment.

I have been encouraging folk here to use such tools for a long time
however for the current attacks we have been seeing over the last 10
days or so with lots sources we are not seeing anywhere near as many
probes per source.  Some times as few as 10 but there are order of 500
systems hitting us over a period of a few hours.  I suspect this
technique is specifically designed to defeat such tools.

Russell