Security Incidents mailing list archives
Re: Distributed Bruteforce against SSH
From: "Tim Kennedy" <tim () timkennedy net>
Date: Mon, 12 May 2008 15:53:56 -0400
On Mon, May 12, 2008 at 2:01 PM, Keith T. Morgan <keith.morgan () terradon com> wrote:
I wanted to follow up on this after putting a little more thought into it. Honestly, I'm quite impressed by the intelligence the botnet is exhibiting. Based on the testing I've done, it's clear that the entire botnet is collectively sharing its position in the dictionary on a per-target basis. Fairly slick, IMO.
Agreed. If you're concerned, start requiring ssh-keys for authentication. If you use RedHat (or derivatives thereof) and have the pam_succeed_if PAM module available, you can at the very least make sure that any non-authorized user accounts (even if they actually exist, and have a password) can't log in via ssh. Like users who only get email privileges, or who only have ftp privs to update a website. Mitigation is the name of the game, since the botnets tend to span large areas of the IP space, blocking entire networks risks making your servers/services unusable. -Tim
Current thread:
- Distributed Bruteforce against SSH Gary Baribault (May 12)
- RE: Distributed Bruteforce against SSH Keith T. Morgan (May 12)
- RE: Distributed Bruteforce against SSH Keith T. Morgan (May 12)
- Re: Distributed Bruteforce against SSH Tim Kennedy (May 12)
- Message not available
- Re: Distributed Bruteforce against SSH Gary Baribault (May 12)