[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] targetted SSH bruteforce attacks

To: Gregory Bellier <gregory.bellier@xxxxxxxxx>
Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
From: Gary Baribault <gary@xxxxxxxxxxxxx>
Date: Thu, 17 Jun 2010 08:47:00 -0400

My Denyhosts daemon is configured pretty much like that, but it uses
TCP Wrapper (hosts.deny) instead of the firewall and it uploads the
attacking IPs to a central server every hour for other Denyhosts users.

Gary Baribault
Courriel: gary@xxxxxxxxxxxxx
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 06/17/2010 08:32 AM, Gregory Bellier wrote:
> Hi !
>
> Most of the time (to not say everytime), it's a bot and not a human
> behind those attacks.
> I configured my firewall to ban for a minute every IPs trying to log
> in with 5 wrong attempts.
> Once it's banned, the bot tries one or two more times and then give up.
>
> It's pretty much effective.
>
> 
>
> 2010/6/17 Gary Baribault <gary@xxxxxxxxxxxxx
> <mailto:gary@xxxxxxxxxxxxx>>
>
>     Hello list,
>
>        I have a strange situation and would like information from the
>     list members. I have three Linux boxes exposed to the Internet.
>     Two of
>     them are on cable modems, and both have two services that are
>     publicly
>     available. In both cases, I have SSH and named running and available
>     to the public. Before you folks say it, yes I run SSH on TCP/22
>     and no
>     I don't want to move it to another port, and no I don't want to
>     restrict it to certain source IPs.
>
>        Both of these systems are within one /21 and get attacked
>     regularly. I run Denyhosts on them, and update the central
>     server once
>     an hour with attacking IPs, and obviously also download the public
>     hosts.deny list.
>
>        These machines get hit regularly, so often that I don't really
>     care, it's fun to make the script kiddies waste their time! But in
>     this instance, only my home box is being attacked... someone is
>     burning a lot of cycles and hosts to do a distributed dictionary
>     attack on my one box! The named daemon is non recursive, properly
>     configured, up to date and not being attacked.
>
>        Is anyone else seeing this type of attack? Or is someone really
>     targeting MY box?
>
>     Thanks
>
>
>     Gary Baribault
>     Courriel: gary@xxxxxxxxxxxxx <mailto:gary@xxxxxxxxxxxxx>
>     GPG Key: 0x685430d1
>     Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [SECURITY] [DSA 2062-1] New sudo packages fix environment sanitization bypass vulnerability
  - From: Giuseppe Iuculano
- [Full-disclosure] targetted SSH bruteforce attacks
  - From: Gary Baribault
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Gregory Bellier

Prev by Date: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by Date: Re: [Full-disclosure] targetted SSH bruteforce attacks
Previous by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Index(es):
- Date
- Thread