Full Disclosure mailing list archives
Re: Any update on SSH brute force attempts?
From: Jay Libove <libove () felines org>
Date: Sun, 24 Oct 2004 18:11:04 -0400 (EDT)
Hi Miriam - I have not attempted any type of automated blocking, as the attack profile appears to not present a threat to systems with reasonably good passwords. (I'm being a little lax about this, I realize). What I have seen, in terms of the sources, intensity, and frequency of the attempts, matches what you reported - where the attempts come from varies every time, the number of different accounts that each attempt goes after varies greatly, and while I may see attempts from two different source IP addresses on one night, it may then be several days before I see any other attempts at all. I therefore agree that it does not appear to be any kind of widespread worm/virus, but instead manually launched. I guess that the targeting (what IP address[es] the attempts are made against) is random. Thanks -Jay
Message: 17 Date: Sun, 24 Oct 2004 09:43:17 +0800 From: Miriam Chan <miriamchan () geocities com> To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Any update on SSH brute force attempts? Jay Libove wrote:Recently, a couple of times a week, I see repeats of this which now have as many as fifty different accounts being attacked. (Almost none of which exist on my server, and none of which will have common passwords thankyouverymuch).By the way, I started to suspect that the attacks were intentional (not just some games by some script kiddies.) I had some servers accepting SSH connections from anywhere (this is for easy access, and I know it is not a very good idea.) Before I set up a Portsentry-like mechanism to block the bad hosts, I got at least 5-6 attempts per day. Afterward, I got nearly none (just some 1-2 attempts a day.) The change looks simply too much for me. If I got some number of attacks a day, I would expect the same number of attacks the next day if the attackes were automatically done by some virus/worms. I wished that it was done by some virus, because (I think) a virus is not more malicious than a planned cracking behaviour. Do anyone have the same observations as me ? It should be great if you saw it and shared your ideas. Miriam.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Any update on SSH brute force attempts?, (continued)
- Re: Re: Any update on SSH brute force attempts? Barrie Dempster (Oct 18)
- Re: Re: Any update on SSH brute force attempts? Raj Mathur (Oct 18)
- Re: Re: Any update on SSH brute force attempts? Barrie Dempster (Oct 18)
- Re: Re: Any update on SSH brute force attempts? Ron DuFresne (Oct 18)
- Re: Re: Any update on SSH brute force attempts? Dave Ewart (Oct 18)
- Re: Re: Re: Any update on SSH brute force attempts? Barrie Dempster (Oct 18)
- Re: Re: Re: Any update on SSH brute force attempts? Ronny Adsetts (Oct 19)
- Re: Re: Re: Any update on SSH brute force attempts? Barrie Dempster (Oct 19)
- Re: Re: Re: Any update on SSH brute force attempts? Ronny Adsetts (Oct 20)