[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] targetted SSH bruteforce attacks

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
From: Cody Robertson <cody@xxxxxxxxxxxx>
Date: Wed, 23 Jun 2010 12:51:41 -0400

On 6/23/10 12:38 PM, Gary Baribault wrote:
> In this attack, there's no need to throttle, the attacking computers hit
> it once every 15 seconds or so from many different sources. My denyhosts
> is not blocking 99.999% of the attempts.
> 
> Gary Baribault
> Courriel: gary@xxxxxxxxxxxxx
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
> 
> 
> On 06/23/2010 12:33 PM, Cody Robertson wrote:
>> On 6/23/10 4:22 AM, yersinia wrote:
>>   
>>> On Thu, Jun 17, 2010 at 4:21 PM, Samuel Martín Moro 
>>> <faust64@xxxxxxxxx>wrote:
>>>
>>>     
>>>> I also don't want to change my ssh port, nor restrict incoming IPs, ... and
>>>> I use keys only to log in without entering password.
>>>> So you're not alone.
>>>> I had my IP changed several times, my servers are only hosting personal
>>>> data.
>>>> But I'm still seeing bruteforce attemps in my logs.
>>>>
>>>> Here's something I use on my servers.
>>>> In cron, every 5-10 minutes, that should do it.
>>>> Of course, if you're running *BSD, pf is way more interesting to do that.
>>>>
>>>> Perhaps could be better to use something standard as fail2ban
>>>>       
>>> http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>     
>> If you have iptables it has ways you can do this throttle too many
>> connections within a specified period. I much prefer using something
>> such as this over third party software.
>>
>> I'm sure you can do this in PF however I'm not familiar with it enough
>> to be certain (I'd be surprised if you couldn't however).
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>   
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

It tends to vary for my machines however it still catches quite a bit of
throttling. Regardless it was just a recommendation to avoid using third
party software for something so trivial.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [SECURITY] [DSA 2062-1] New sudo packages fix environment sanitization bypass vulnerability
  - From: Giuseppe Iuculano
- [Full-disclosure] targetted SSH bruteforce attacks
  - From: Gary Baribault
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Samuel Martín Moro
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: yersinia
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Cody Robertson
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Gary Baribault

Prev by Date: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by Date: Re: [Full-disclosure] No anti-virus software? No internet connection
Previous by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Index(es):
- Date
- Thread