Full Disclosure mailing list archives
Re: targetted SSH bruteforce attacks
From: Gary Baribault <gary () baribault net>
Date: Thu, 17 Jun 2010 11:45:22 -0400
What the question was asking was 'is anyone else' having one machine attacked in particular as opposed to all of their machines. What I explained in the original post was that in all past instances (many times a day, every day) when one machine is attacked, the other is as well, since they are close to each other on a major cable modem ISP. In this case only one of the machines is being attacked, and it's a relatively stealthy attack. So the question is if anyone else is seeing the same type of activity. Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/17/2010 11:04 AM, Benji wrote:
What? Think about what you said. Anyone. else. seeing. a. targetted. attack. Why would anyone else see a TARGETTED attack? anyway, no, you're not special, distributed SSH bruteforce is normal. On Thu, Jun 17, 2010 at 1:44 PM, Gary Baribault <gary () baribault net> wrote:I just knew that people would say that, and that's why I specified that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's interesting to see new types of attacks. The question here is whether anyone else is seeing such a targeted attack. Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/17/2010 08:28 AM, dink () mrhinkydink com wrote:Have you ever considered obfuscated-openssh? http://github.com/brl/obfuscated-openssh I have a modified version of PuTTY available for it... http://www.mrhinkydink.com/potty.htm Still... you should change the freakin' port. -------- Original Message -------- Subject: [Full-disclosure] targetted SSH bruteforce attacks From: Gary Baribault <gary () baribault net> Date: Thu, June 17, 2010 7:48 am To: full-disclosure () lists grok org uk Hello list, I have a strange situation and would like information from the list members. I have three Linux boxes exposed to the Internet. Two of them are on cable modems, and both have two services that are publicly available. In both cases, I have SSH and named running and available to the public. Before you folks say it, yes I run SSH on TCP/22 and no I don't want to move it to another port, and no I don't want to restrict it to certain source IPs. Both of these systems are within one /21 and get attacked regularly. I run Denyhosts on them, and update the central server once an hour with attacking IPs, and obviously also download the public hosts.deny list. These machines get hit regularly, so often that I don't really care, it's fun to make the script kiddies waste their time! But in this instance, only my home box is being attacked... someone is burning a lot of cycles and hosts to do a distributed dictionary attack on my one box! The named daemon is non recursive, properly configured, up to date and not being attacked. Is anyone else seeing this type of attack? Or is someone really targeting MY box? Thanks Gary Baribault Courriel: gary () baribault net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: targetted SSH bruteforce attacks dink (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Benji (Jun 17)
- Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Benji (Jun 17)
- Re: targetted SSH bruteforce attacks Frank Bures (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
- <Possible follow-ups>
- Re: targetted SSH bruteforce attacks dink (Jun 17)
- Re: targetted SSH bruteforce attacks Michael Holstein (Jun 17)
- Re: targetted SSH bruteforce attacks dink (Jun 17)
- Re: targetted SSH bruteforce attacks iRAQi BlackHat (Jun 17)
- Re: targetted SSH bruteforce attacks Bob Onformon (Jun 18)