[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] targetted SSH bruteforce attacks

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
From: Gary Baribault <gary@xxxxxxxxxxxxx>
Date: Wed, 23 Jun 2010 12:38:05 -0400

In this attack, there's no need to throttle, the attacking computers hit
it once every 15 seconds or so from many different sources. My denyhosts
is not blocking 99.999% of the attempts.

Gary Baribault
Courriel: gary@xxxxxxxxxxxxx
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/23/2010 12:33 PM, Cody Robertson wrote:
> On 6/23/10 4:22 AM, yersinia wrote:
>   
>> On Thu, Jun 17, 2010 at 4:21 PM, Samuel Martín Moro <faust64@xxxxxxxxx>wrote:
>>
>>     
>>> I also don't want to change my ssh port, nor restrict incoming IPs, ... and
>>> I use keys only to log in without entering password.
>>> So you're not alone.
>>> I had my IP changed several times, my servers are only hosting personal
>>> data.
>>> But I'm still seeing bruteforce attemps in my logs.
>>>
>>> Here's something I use on my servers.
>>> In cron, every 5-10 minutes, that should do it.
>>> Of course, if you're running *BSD, pf is way more interesting to do that.
>>>
>>> Perhaps could be better to use something standard as fail2ban
>>>       
>> http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/?
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
> If you have iptables it has ways you can do this throttle too many
> connections within a specified period. I much prefer using something
> such as this over third party software.
>
> I'm sure you can do this in PF however I'm not familiar with it enough
> to be certain (I'd be surprised if you couldn't however).
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Cody Robertson

References:
- [Full-disclosure] [SECURITY] [DSA 2062-1] New sudo packages fix environment sanitization bypass vulnerability
  - From: Giuseppe Iuculano
- [Full-disclosure] targetted SSH bruteforce attacks
  - From: Gary Baribault
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Samuel Martín Moro
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: yersinia
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Cody Robertson

Prev by Date: Re: [Full-disclosure] No anti-virus software? No internet connection
Next by Date: Re: [Full-disclosure] targetted SSH bruteforce attacks
Previous by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Index(es):
- Date
- Thread