Honeypots mailing list archives
Re: Displaying SSH password attempts
From: ader () ait edu gr
Date: Tue, 11 Jul 2006 02:01:11 +0300 (EEST)
On Fri, 07 Jul 2006 20:29:23 +0300, ader () ait edu gr said:I would say that any attacker that tried to breach a system with such a poor security policy and failed, is under no circuimstances a threat for modern Network Security. I mean you left the door unlocked and a note saying you are not there... If the guy cant open the door he is incapable of harm and most probably a victim himself.So tell me.. if you saw a flood of 62,497 totally lame ssh password probe attempts from the same set of 4 IP addresses, what are the chances that you'd be more likely to totally *fail* to notice a 4-packet zero-day from one of those 4 addresses? It's called "flying under the radar"...
I really dont get the point in your question... In the "flying under the radar" scenario you just mention... you really are not flying under the radar are you????? 1) In Corporate Networks --- By making all those thousands attemps to log into SSH, the attacker accomplishes only one thing... to get his IP droped. Any address that tries these many failed attempes is definately hostile and gets blacklisted. What you mentioned is definately a bad way to fly under the radar... Sending fake requests, or gibberish packets may hide the real attack but still in modern Network Security, any IP addresses that flood a service (HHTP, SSH, TELNET etc) should be considered hostile and get droped by the firewall 2) In Honeypots --- Well in the case that the attacker is already aware of your honeypot, and tries to hide his real attack by Spamming your SSH Daemon, with lame attemps. You should read my Last comment about Honeypots and how dangerous they can be. Any LIVE honeypots must be properly configured and that is your job to do... Having proper DATA CAPTURING and DATA ANALYSIS tools helps to identify the attacks.... Thats why SEBEK is such a nice tool, since it records all the packects transfered and classifies any known attacks. DATA ANALYSIS is one of the biggest burdons for Security Engineers since in many cases there are Millions of false-positive alerts and trying to find real attacks is almost impossible (A thorough Nessus scan for a single system triggers thousands of IDS alerts by the way). I hope it clariffied my positions a bit...
Current thread:
- Re: Displaying SSH password attempts, (continued)
- Re: Displaying SSH password attempts Jeff Lake (Jul 05)
- Re: Displaying SSH password attempts Daniel Cid (Jul 05)
- Re: Displaying SSH password attempts Nikola (Jul 05)
- RE: Displaying SSH password attempts Dodge, R. LTC EECS (Jul 05)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 05)
- Re: Displaying SSH password attempts Harry Hoffman (Jul 05)
- Re: Displaying SSH password attempts Tom Doherty (Jul 05)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 05)
- Re: Displaying SSH password attempts ader (Jul 07)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 07)
- Re: Displaying SSH password attempts ader (Jul 11)