Distributed Bruteforce against SSH
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
Distributed Bruteforce against SSH
by Gary Baribault-2
::
Rate this Message:
I guess what I reported last week was the warmup round .. Where now
getting thousands of attemped logins with the standars dictionary of potential login names. As I stated, I'm not interested in avoiding these attacks, so please don't sugges that I change the SSH port, my machines are safe enough .. For those who missed it, I have three servers on the Internet, two cable modems and one static and again, two of them are getting about 100 attacks per hour but instead of using Root for every attempt, we are now seeing the standars alphabetical list of users. What wories me is all of the Linux/Unix servers out there (and I guess to a lesser degree Windows boxes with an SSH Daemon) that have many normal remote users who are allowed remote access with SSH and have weak passwords. This attack seems to be aimed at them, and will certainly succeed. See a sample of one of my logs below Gary B messages:May 11 21:59:39 salle sshd[5493]: Invalid user a'marie from 213.251.185.54 messages:May 11 21:59:39 salle sshd[5493]: Failed keyboard-interactive/pam for invalid user a'marie from 213.251.185.54 port 33943 ssh2 messages:May 11 22:01:34 salle sshd[5519]: Invalid user aaliyah from 62.206.228.188 messages:May 11 22:01:34 salle sshd[5519]: Failed keyboard-interactive/pam for invalid user aaliyah from 62.206.228.188 port 49207 ssh2 messages:May 11 22:03:11 salle sshd[5524]: Invalid user aaralyn from 212.220.166.26 messages:May 11 22:03:11 salle sshd[5524]: Failed keyboard-interactive/pam for invalid user aaralyn from 212.220.166.26 port 1408 ssh2 messages:May 11 22:04:05 salle sshd[5528]: Invalid user aaron from 83.151.29.86 messages:May 11 22:04:05 salle sshd[5528]: Failed keyboard-interactive/pam for invalid user aaron from 83.151.29.86 port 55756 ssh2 messages:May 11 22:05:34 salle sshd[5533]: Invalid user abbie from 70.43.165.34 messages:May 11 22:05:34 salle sshd[5533]: Failed keyboard-interactive/pam for invalid user abbie from 70.43.165.34 port 48681 ssh2 messages:May 11 22:06:41 salle sshd[5537]: Invalid user abbott from 194.204.62.2 messages:May 11 22:06:41 salle sshd[5537]: Failed keyboard-interactive/pam for invalid user abbott from 194.204.62.2 port 7799 ssh2 messages:May 11 22:08:33 salle sshd[5543]: Invalid user abdukrahman from 62.206.22.124 messages:May 11 22:08:34 salle sshd[5543]: Failed keyboard-interactive/pam for invalid user abdukrahman from 62.206.22.124 port 50525 ssh2 messages:May 11 22:12:11 salle sshd[5558]: Invalid user abdulrahman from 196.211.191.58 messages:May 11 22:12:12 salle sshd[5558]: Failed keyboard-interactive/pam for invalid user abdulrahman from 196.211.191.58 port 58081 ssh2 messages:May 11 22:12:55 salle sshd[5562]: Invalid user abe from 217.172.164.130 messages:May 11 22:12:55 salle sshd[5562]: Failed keyboard-interactive/pam for invalid user abe from 217.172.164.130 port 56462 ssh2 messages:May 11 22:13:53 salle sshd[5566]: Invalid user abel from 80.68.94.169 messages:May 11 22:13:54 salle sshd[5566]: Failed keyboard-interactive/pam for invalid user abel from 80.68.94.169 port 2229 ssh2 messages:May 11 22:15:47 salle sshd[5592]: Invalid user abia from 86.49.7.207 messages:May 11 22:15:47 salle sshd[5592]: Failed keyboard-interactive/pam for invalid user abia from 86.49.7.207 port 1407 ssh2 messages:May 11 22:16:32 salle sshd[5595]: Invalid user abiba from 200.117.122.206 messages:May 11 22:16:33 salle sshd[5595]: Failed keyboard-interactive/pam for invalid user abiba from 200.117.122.206 port 53258 ssh2 messages:May 11 22:18:02 salle sshd[5599]: Invalid user abie from 208.189.14.194 messages:May 11 22:18:02 salle sshd[5599]: Failed keyboard-interactive/pam for invalid user abie from 208.189.14.194 port 36420 ssh2 messages:May 11 22:18:24 salle sshd[5602]: Invalid user abigail from 69.128.70.86 messages:May 11 22:18:25 salle sshd[5602]: Failed keyboard-interactive/pam for invalid user abigail from 69.128.70.86 port 3154 ssh2 messages:May 11 22:19:53 salle sshd[5605]: Invalid user abner from 62.147.203.49 messages:May 11 22:19:53 salle sshd[5605]: Failed keyboard-interactive/pam for invalid user abner from 62.147.203.49 port 38321 ssh2 messages:May 11 22:20:17 salle sshd[5608]: Invalid user abra from 61.29.122.140 messages:May 11 22:20:17 salle sshd[5609]: input_userauth_request: invalid user abra messages:May 11 22:20:17 salle sshd[5608]: Failed keyboard-interactive/pam for invalid user abra from 61.29.122.140 port 53367 ssh2 messages:May 11 22:20:57 salle sshd[5612]: Invalid user abra from 200.166.58.108 messages:May 11 22:20:58 salle sshd[5612]: Failed keyboard-interactive/pam for invalid user abra from 200.166.58.108 port 41499 ssh2 messages:May 11 22:21:28 salle sshd[5615]: Invalid user abraham from 82.193.22.18 messages:May 11 22:21:28 salle sshd[5616]: input_userauth_request: invalid user abraham messages:May 11 22:21:28 salle sshd[5615]: Failed keyboard-interactive/pam for invalid user abraham from 82.193.22.18 port 33116 ssh2 messages:May 11 22:22:36 salle sshd[5619]: Invalid user abram from 66.159.198.155 messages:May 11 22:22:37 salle sshd[5619]: Failed keyboard-interactive/pam for invalid user abram from 66.159.198.155 port 45869 ssh2 messages:May 11 22:22:53 salle sshd[5622]: Invalid user abram from 89.110.144.212 messages:May 11 22:22:53 salle sshd[5623]: input_userauth_request: invalid user abram messages:May 11 22:22:53 salle sshd[5622]: Failed keyboard-interactive/pam for invalid user abram from 89.110.144.212 port 35527 ssh2 messages:May 11 22:23:29 salle sshd[5625]: Invalid user abrianna from 204.13.164.75 messages:May 11 22:23:29 salle sshd[5625]: Failed keyboard-interactive/pam for invalid user abrianna from 204.13.164.75 port 36896 ssh2 messages:May 11 22:24:22 salle sshd[5629]: Invalid user abrienda from 87.234.200.80 messages:May 11 22:24:22 salle sshd[5629]: Failed keyboard-interactive/pam for invalid user abrienda from 87.234.200.80 port 17603 ssh2 messages:May 11 22:25:04 salle sshd[5632]: Invalid user abrienda from 168.234.199.84 messages:May 11 22:25:04 salle sshd[5632]: Failed keyboard-interactive/pam for invalid user abrienda from 168.234.199.84 port 47504 ssh2 messages:May 11 22:25:52 salle sshd[5635]: Invalid user abril from 83.246.96.70 messages:May 11 22:25:52 salle sshd[5635]: Failed keyboard-interactive/pam for invalid user abril from 83.246.96.70 port 48594 ssh2 messages:May 11 22:25:55 salle sshd[5638]: Invalid user abril from 62.2.99.174 messages:May 11 22:25:56 salle sshd[5638]: Failed keyboard-interactive/pam for invalid user abril from 62.2.99.174 port 1424 ssh2 messages:May 11 22:27:00 salle sshd[5642]: Invalid user absolom from 200.117.122.206 messages:May 11 22:27:01 salle sshd[5642]: Failed keyboard-interactive/pam for invalid user absolom from 200.117.122.206 port 45918 ssh2 messages:May 11 22:27:15 salle sshd[5645]: Invalid user abu from 85.14.219.67 messages:May 11 22:27:15 salle sshd[5645]: Failed keyboard-interactive/pam for invalid user abu from 85.14.219.67 port 38085 ssh2 messages:May 11 22:28:48 salle sshd[5649]: Invalid user acacia from 64.83.58.161 messages:May 11 22:28:48 salle sshd[5649]: Failed keyboard-interactive/pam for invalid user acacia from 64.83.58.161 port 39750 ssh2 messages:May 11 22:30:48 salle sshd[5675]: Invalid user ace from 61.29.122.140 messages:May 11 22:30:48 salle sshd[5676]: input_userauth_request: invalid user ace messages:May 11 22:30:48 salle sshd[5675]: Failed keyboard-interactive/pam for invalid user ace from 61.29.122.140 port 60660 ssh2 messages:May 11 22:32:25 salle sshd[5680]: Invalid user acton from 217.98.80.5 messages:May 11 22:32:25 salle sshd[5680]: Failed keyboard-interactive/pam for invalid user acton from 217.98.80.5 port 10497 ssh2 messages:May 11 22:32:57 salle sshd[5683]: Invalid user acton from 88.198.47.143 messages:May 11 22:32:57 salle sshd[5683]: Failed keyboard-interactive/pam for invalid user acton from 88.198.47.143 port 39369 ssh2 messages:May 11 22:33:21 salle sshd[5686]: Invalid user ada from 200.74.136.246 messages:May 11 22:33:21 salle sshd[5686]: Failed keyboard-interactive/pam for invalid user ada from 200.74.136.246 port 35651 ssh2 messages:May 11 22:33:51 salle sshd[5689]: Invalid user ada from 69.15.102.215 messages:May 11 22:33:51 salle sshd[5689]: Failed keyboard-interactive/pam for invalid user ada from 69.15.102.215 port 50657 ssh2 messages:May 11 22:34:57 salle sshd[5693]: Invalid user adah from 216.197.204.76 messages:May 11 22:34:57 salle sshd[5693]: Failed keyboard-interactive/pam for invalid user adah from 216.197.204.76 port 43581 ssh2 messages:May 11 22:35:17 salle sshd[5696]: Invalid user adair from 76.160.167.251 messages:May 11 22:35:17 salle sshd[5696]: Failed keyboard-interactive/pam for invalid user adair from 76.160.167.251 port 50495 ssh2 messages:May 11 22:38:36 salle sshd[5715]: Invalid user adamina from 201.21.210.151 messages:May 11 22:38:36 salle sshd[5716]: input_userauth_request: invalid user adamina messages:May 11 22:38:37 salle sshd[5715]: Failed keyboard-interactive/pam for invalid user adamina from 201.21.210.151 port 34881 ssh2 messages:May 11 22:38:54 salle sshd[5718]: Invalid user adamina from 133.6.61.76 messages:May 11 22:38:54 salle sshd[5718]: Failed keyboard-interactive/pam for invalid user adamina from 133.6.61.76 port 44428 ssh2 messages:May 11 22:39:29 salle sshd[5721]: Invalid user adamma from 212.51.52.244 messages:May 11 22:39:29 salle sshd[5721]: Failed keyboard-interactive/pam for invalid user adamma from 212.51.52.244 port 41180 ssh2 messages:May 11 22:39:51 salle sshd[5724]: Invalid user adamma from 83.244.156.204 messages:May 11 22:39:51 salle sshd[5724]: Failed keyboard-interactive/pam for invalid user adamma from 83.244.156.204 port 50954 ssh2 messages:May 11 22:41:02 salle sshd[5735]: Invalid user adara from 88.198.47.143 messages:May 11 22:41:02 salle sshd[5735]: Failed keyboard-interactive/pam for invalid user adara from 88.198.47.143 port 33031 ssh2 messages:May 11 22:42:28 salle sshd[5738]: Invalid user addison from 62.2.211.46 messages:May 11 22:42:28 salle sshd[5738]: Failed keyboard-interactive/pam for invalid user addison from 62.2.211.46 port 29580 ssh2 |
|
|
RE: Distributed Bruteforce against SSH
by Keith T. Morgan
::
Rate this Message:
Yep. I've been seeing them too. What's interesting is that the botnet is sharing "state" information regarding where the collective botnet is in the dictionary. This will completely bypass fail2ban since each subsequent dictionary word is tried from a different host.
I experimented a bit by blocking huge swaths of the internet at the firewall, and watching. For example, I dropped everything inbound except for 66.0.0.0/8, 67.0.0.0/8 and 68.0.0.0/8. Sure enough, eventually, the next attempt came through. And it used the next sequential username in the dictionary (as captured on a logically nearby host). When I opened things up again, the dictionary attack simply sped up, in the proper word sequence, coming from more hosts. > -----Original Message----- > From: Gary Baribault [mailto:gary@...] > Sent: Monday, May 12, 2008 11:28 AM > To: incidents@... > Subject: Distributed Bruteforce against SSH > > > I guess what I reported last week was the warmup round .. > Where now getting thousands of attemped logins with the > standars dictionary of potential login names. > > As I stated, I'm not interested in avoiding these attacks, so > please don't sugges that I change the SSH port, my machines > are safe enough .. > > For those who missed it, I have three servers on the > Internet, two cable modems and one static and again, two of > them are getting about 100 attacks per hour but instead of > using Root for every attempt, we are now seeing the standars > alphabetical list of users. > > What wories me is all of the Linux/Unix servers out there > (and I guess to a lesser degree Windows boxes with an SSH > Daemon) that have many normal remote users who are allowed > remote access with SSH and have weak passwords. > > This attack seems to be aimed at them, and will certainly succeed. > > See a sample of one of my logs below > > Gary B > > messages:May 11 21:59:39 salle sshd[5493]: Invalid user > a'marie from 213.251.185.54 messages:May 11 21:59:39 salle > sshd[5493]: Failed keyboard-interactive/pam for invalid user > a'marie from 213.251.185.54 port 33943 ssh2 messages:May 11 > 22:01:34 salle sshd[5519]: Invalid user aaliyah from > 62.206.228.188 messages:May 11 22:01:34 salle sshd[5519]: > Failed keyboard-interactive/pam for invalid user aaliyah from > 62.206.228.188 port 49207 ssh2 messages:May 11 22:03:11 salle > sshd[5524]: Invalid user aaralyn from 212.220.166.26 > messages:May 11 22:03:11 salle sshd[5524]: Failed > keyboard-interactive/pam for invalid user aaralyn from > 212.220.166.26 port 1408 ssh2 messages:May 11 22:04:05 salle > sshd[5528]: Invalid user aaron from 83.151.29.86 messages:May > 11 22:04:05 salle sshd[5528]: Failed keyboard-interactive/pam > for invalid user aaron from 83.151.29.86 port 55756 ssh2 > messages:May 11 22:05:34 salle sshd[5533]: Invalid user abbie > from 70.43.165.34 messages:May 11 22:05:34 salle sshd[5533]: > Failed keyboard-interactive/pam for invalid user abbie from > 70.43.165.34 port 48681 ssh2 messages:May 11 22:06:41 salle > sshd[5537]: Invalid user abbott from 194.204.62.2 > messages:May 11 22:06:41 salle sshd[5537]: Failed > keyboard-interactive/pam for invalid user abbott from > 194.204.62.2 port 7799 ssh2 messages:May 11 22:08:33 salle > sshd[5543]: Invalid user abdukrahman from 62.206.22.124 > messages:May 11 22:08:34 salle sshd[5543]: Failed > keyboard-interactive/pam for invalid user abdukrahman from > 62.206.22.124 port 50525 ssh2 messages:May 11 22:12:11 salle > sshd[5558]: Invalid user abdulrahman from 196.211.191.58 > messages:May 11 22:12:12 salle sshd[5558]: Failed > keyboard-interactive/pam for invalid user abdulrahman from > 196.211.191.58 port 58081 ssh2 messages:May 11 22:12:55 salle > sshd[5562]: Invalid user abe from 217.172.164.130 > messages:May 11 22:12:55 salle sshd[5562]: Failed > keyboard-interactive/pam for invalid user abe from > 217.172.164.130 port 56462 ssh2 messages:May 11 22:13:53 > salle sshd[5566]: Invalid user abel from 80.68.94.169 > messages:May 11 22:13:54 salle sshd[5566]: Failed > keyboard-interactive/pam for invalid user abel from > 80.68.94.169 port 2229 ssh2 messages:May 11 22:15:47 salle > sshd[5592]: Invalid user abia from 86.49.7.207 messages:May > 11 22:15:47 salle sshd[5592]: Failed keyboard-interactive/pam > for invalid user abia from 86.49.7.207 port 1407 ssh2 > messages:May 11 22:16:32 salle sshd[5595]: Invalid user abiba > from 200.117.122.206 messages:May 11 22:16:33 salle > sshd[5595]: Failed keyboard-interactive/pam for invalid user > abiba from 200.117.122.206 port 53258 ssh2 messages:May 11 > 22:18:02 salle sshd[5599]: Invalid user abie from > 208.189.14.194 messages:May 11 22:18:02 salle sshd[5599]: > Failed keyboard-interactive/pam for invalid user abie from > 208.189.14.194 port 36420 ssh2 messages:May 11 22:18:24 salle > sshd[5602]: Invalid user abigail from 69.128.70.86 > messages:May 11 22:18:25 salle sshd[5602]: Failed > keyboard-interactive/pam for invalid user abigail from > 69.128.70.86 port 3154 ssh2 messages:May 11 22:19:53 salle > sshd[5605]: Invalid user abner from 62.147.203.49 > messages:May 11 22:19:53 salle sshd[5605]: Failed > keyboard-interactive/pam for invalid user abner from > 62.147.203.49 port 38321 ssh2 messages:May 11 22:20:17 salle > sshd[5608]: Invalid user abra from 61.29.122.140 messages:May > 11 22:20:17 salle sshd[5609]: input_userauth_request: invalid > user abra messages:May 11 22:20:17 salle sshd[5608]: Failed > keyboard-interactive/pam for invalid user abra from > 61.29.122.140 port 53367 ssh2 messages:May 11 22:20:57 salle > sshd[5612]: Invalid user abra from 200.166.58.108 > messages:May 11 22:20:58 salle sshd[5612]: Failed > keyboard-interactive/pam for invalid user abra from > 200.166.58.108 port 41499 ssh2 messages:May 11 22:21:28 salle > sshd[5615]: Invalid user abraham from 82.193.22.18 > messages:May 11 22:21:28 salle sshd[5616]: > input_userauth_request: invalid user abraham messages:May 11 > 22:21:28 salle sshd[5615]: Failed keyboard-interactive/pam > for invalid user abraham from 82.193.22.18 port 33116 ssh2 > messages:May 11 22:22:36 salle sshd[5619]: Invalid user abram > from 66.159.198.155 messages:May 11 22:22:37 salle > sshd[5619]: Failed keyboard-interactive/pam for invalid user > abram from 66.159.198.155 port 45869 ssh2 messages:May 11 > 22:22:53 salle sshd[5622]: Invalid user abram from > 89.110.144.212 messages:May 11 22:22:53 salle sshd[5623]: > input_userauth_request: invalid user abram messages:May 11 > 22:22:53 salle sshd[5622]: Failed keyboard-interactive/pam > for invalid user abram from 89.110.144.212 port 35527 ssh2 > messages:May 11 22:23:29 salle sshd[5625]: Invalid user > abrianna from 204.13.164.75 messages:May 11 22:23:29 salle > sshd[5625]: Failed keyboard-interactive/pam for invalid user > abrianna from 204.13.164.75 port 36896 ssh2 messages:May 11 > 22:24:22 salle sshd[5629]: Invalid user abrienda from > 87.234.200.80 messages:May 11 22:24:22 salle sshd[5629]: > Failed keyboard-interactive/pam for invalid user abrienda > from 87.234.200.80 port 17603 ssh2 messages:May 11 22:25:04 > salle sshd[5632]: Invalid user abrienda from 168.234.199.84 > messages:May 11 22:25:04 salle sshd[5632]: Failed > keyboard-interactive/pam for invalid user abrienda from > 168.234.199.84 port 47504 ssh2 messages:May 11 22:25:52 salle > sshd[5635]: Invalid user abril from 83.246.96.70 messages:May > 11 22:25:52 salle sshd[5635]: Failed keyboard-interactive/pam > for invalid user abril from 83.246.96.70 port 48594 ssh2 > messages:May 11 22:25:55 salle sshd[5638]: Invalid user abril > from 62.2.99.174 messages:May 11 22:25:56 salle sshd[5638]: > Failed keyboard-interactive/pam for invalid user abril from > 62.2.99.174 port 1424 ssh2 messages:May 11 22:27:00 salle > sshd[5642]: Invalid user absolom from 200.117.122.206 > messages:May 11 22:27:01 salle sshd[5642]: Failed > keyboard-interactive/pam for invalid user absolom from > 200.117.122.206 port 45918 ssh2 messages:May 11 22:27:15 > salle sshd[5645]: Invalid user abu from 85.14.219.67 > messages:May 11 22:27:15 salle sshd[5645]: Failed > keyboard-interactive/pam for invalid user abu from > 85.14.219.67 port 38085 ssh2 messages:May 11 22:28:48 salle > sshd[5649]: Invalid user acacia from 64.83.58.161 > messages:May 11 22:28:48 salle sshd[5649]: Failed > keyboard-interactive/pam for invalid user acacia from > 64.83.58.161 port 39750 ssh2 messages:May 11 22:30:48 salle > sshd[5675]: Invalid user ace from 61.29.122.140 messages:May > 11 22:30:48 salle sshd[5676]: input_userauth_request: invalid > user ace messages:May 11 22:30:48 salle sshd[5675]: Failed > keyboard-interactive/pam for invalid user ace from > 61.29.122.140 port 60660 ssh2 messages:May 11 22:32:25 salle > sshd[5680]: Invalid user acton from 217.98.80.5 messages:May > 11 22:32:25 salle sshd[5680]: Failed keyboard-interactive/pam > for invalid user acton from 217.98.80.5 port 10497 ssh2 > messages:May 11 22:32:57 salle sshd[5683]: Invalid user acton > from 88.198.47.143 messages:May 11 22:32:57 salle sshd[5683]: > Failed keyboard-interactive/pam for invalid user acton from > 88.198.47.143 port 39369 ssh2 messages:May 11 22:33:21 salle > sshd[5686]: Invalid user ada from 200.74.136.246 messages:May > 11 22:33:21 salle sshd[5686]: Failed keyboard-interactive/pam > for invalid user ada from 200.74.136.246 port 35651 ssh2 > messages:May 11 22:33:51 salle sshd[5689]: Invalid user ada > from 69.15.102.215 messages:May 11 22:33:51 salle sshd[5689]: > Failed keyboard-interactive/pam for invalid user ada from > 69.15.102.215 port 50657 ssh2 messages:May 11 22:34:57 salle > sshd[5693]: Invalid user adah from 216.197.204.76 > messages:May 11 22:34:57 salle sshd[5693]: Failed > keyboard-interactive/pam for invalid user adah from > 216.197.204.76 port 43581 ssh2 messages:May 11 22:35:17 salle > sshd[5696]: Invalid user adair from 76.160.167.251 > messages:May 11 22:35:17 salle sshd[5696]: Failed > keyboard-interactive/pam for invalid user adair from > 76.160.167.251 port 50495 ssh2 messages:May 11 22:38:36 salle > sshd[5715]: Invalid user adamina from 201.21.210.151 > messages:May 11 22:38:36 salle sshd[5716]: > input_userauth_request: invalid user adamina messages:May 11 > 22:38:37 salle sshd[5715]: Failed keyboard-interactive/pam > for invalid user adamina from 201.21.210.151 port 34881 ssh2 > messages:May 11 22:38:54 salle sshd[5718]: Invalid user > adamina from 133.6.61.76 messages:May 11 22:38:54 salle > sshd[5718]: Failed keyboard-interactive/pam for invalid user > adamina from 133.6.61.76 port 44428 ssh2 messages:May 11 > 22:39:29 salle sshd[5721]: Invalid user adamma from > 212.51.52.244 messages:May 11 22:39:29 salle sshd[5721]: > Failed keyboard-interactive/pam for invalid user adamma from > 212.51.52.244 port 41180 ssh2 messages:May 11 22:39:51 salle > sshd[5724]: Invalid user adamma from 83.244.156.204 > messages:May 11 22:39:51 salle sshd[5724]: Failed > keyboard-interactive/pam for invalid user adamma from > 83.244.156.204 port 50954 ssh2 messages:May 11 22:41:02 salle > sshd[5735]: Invalid user adara from 88.198.47.143 > messages:May 11 22:41:02 salle sshd[5735]: Failed > keyboard-interactive/pam for invalid user adara from > 88.198.47.143 port 33031 ssh2 messages:May 11 22:42:28 salle > sshd[5738]: Invalid user addison from 62.2.211.46 > messages:May 11 22:42:28 salle sshd[5738]: Failed > keyboard-interactive/pam for invalid user addison from > 62.2.211.46 port 29580 ssh2 > > > > > |
|
|
RE: Distributed Bruteforce against SSH
by Keith T. Morgan
::
Rate this Message:
I wanted to follow up on this after putting a little more thought into it. Honestly, I'm quite impressed by the intelligence the botnet is exhibiting. Based on the testing I've done, it's clear that the entire botnet is collectively sharing its position in the dictionary on a per-target basis. Fairly slick, IMO.
> -----Original Message----- > From: Gary Baribault [mailto:gary@...] > Sent: Monday, May 12, 2008 11:28 AM > To: incidents@... > Subject: Distributed Bruteforce against SSH > > > I guess what I reported last week was the warmup round .. > Where now getting thousands of attemped logins with the > standars dictionary of potential login names. > |
|
|
Re: Distributed Bruteforce against SSH
by Tim Kennedy
::
Rate this Message:
On Mon, May 12, 2008 at 2:01 PM, Keith T. Morgan
<keith.morgan@...> wrote: > I wanted to follow up on this after putting a little more thought into it. Honestly, I'm quite impressed by the intelligence the botnet is exhibiting. Based on the testing I've done, it's clear that the entire botnet is collectively sharing its position in the dictionary on a per-target basis. Fairly slick, IMO. Agreed. If you're concerned, start requiring ssh-keys for authentication. If you use RedHat (or derivatives thereof) and have the pam_succeed_if PAM module available, you can at the very least make sure that any non-authorized user accounts (even if they actually exist, and have a password) can't log in via ssh. Like users who only get email privileges, or who only have ftp privs to update a website. Mitigation is the name of the game, since the botnets tend to span large areas of the IP space, blocking entire networks risks making your servers/services unusable. -Tim |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
