Re: Distributed Bruteforce against SSH

["Tim Kennedy" <tim () timkennedy net>]

On Mon, May 12, 2008 at 2:01 PM, Keith T. Morgan
<keith.morgan () terradon com> wrote:
> I wanted to follow up on this after putting a little more thought into it.  Honestly, I'm quite impressed by the 
> intelligence the botnet is exhibiting.  Based on the testing I've done, it's clear that the entire botnet is 
> collectively sharing its position in the dictionary on a per-target basis.  Fairly slick, IMO.

Agreed.

If you're concerned, start requiring ssh-keys for authentication.  If
you use RedHat (or derivatives thereof) and have the pam_succeed_if
PAM module available, you can at the very least make sure that any
non-authorized user accounts (even if they actually exist, and have a
password) can't log in via ssh.    Like users who only get email
privileges, or who only have ftp privs to update a website.

Mitigation is the name of the game, since the botnets tend to span
large areas of the IP space, blocking entire networks risks making
your servers/services unusable.

-Tim