Full Disclosure mailing list archives
Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Thu, 17 Jun 2010 08:54:35 -0400
Thanks Emmanuel, I have to access that box sometimes from other machines than my own, so I would have to have my key and install it on all kinds of Windows boxen .. I have extremely good passwords that I change every 30 days, or every time I use a machine that I'm not 100% sure of. Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/17/2010 08:45 AM, Emmanuel VERCHERE wrote:
Hi Gary, SSH daemons using password auth exposed to the Internet _do_ get bruteforce attempts. I would not recommend moving it to a different port than 22 as that would be of very, _very_ little help - rather switch to public key auth (plus SPA if you're paranoid), et voila. I don't think there's someone out there craving for _your_ box - but scripts running from compromised hosts, scanning for password-protected SSH daemons (as well as a bunch of known exploitable webapps and services), trying to reach out for 'fresh meat', and as such expand the zombie net? Definitely ;) Cheers. On Thu, 17 Jun 2010 07:48:18 -0400 Gary Baribault <gary () baribault net> wrote:Hello list, I have a strange situation and would like information from the list members. I have three Linux boxes exposed to the Internet. Two of them are on cable modems, and both have two services that are publicly available. In both cases, I have SSH and named running and available to the public. Before you folks say it, yes I run SSH on TCP/22 and no I don't want to move it to another port, and no I don't want to restrict it to certain source IPs. Both of these systems are within one /21 and get attacked regularly. I run Denyhosts on them, and update the central server once an hour with attacking IPs, and obviously also download the public hosts.deny list. These machines get hit regularly, so often that I don't really care, it's fun to make the script kiddies waste their time! But in this instance, only my home box is being attacked... someone is burning a lot of cycles and hosts to do a distributed dictionary attack on my one box! The named daemon is non recursive, properly configured, up to date and not being attacked. Is anyone else seeing this type of attack? Or is someone really targeting MY box? Thanks Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SECURITY] [DSA 2062-1] New sudo packages fix environment sanitization bypass vulnerability Giuseppe Iuculano (Jun 17)
- targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Emmanuel VERCHERE (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Randal L. Schwartz (Jun 17)
- Re: targetted SSH bruteforce attacks Paul Schmehl (Jun 17)
- Re: targetted SSH bruteforce attacks Emmanuel VERCHERE (Jun 17)
- Re: targetted SSH bruteforce attacks Adam Richards (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 17)
- Re: targetted SSH bruteforce attacks Michael Holstein (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Bipin Gautam (Jun 17)
- targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Gregory Bellier (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)