Comments on: Distributed SSH Brute Force Attacks

By: Håkon Alstadheim

Håkon Alstadheim — Sun, 03 May 2009 11:15:23 +0000

Hi, I used to have one of the entries in your blacklist-list at my website
(http://www.alstadheim.priv.no/cgi-bin/svarteliste). That link should be removed from the list.

It has been discontinued. There is no point in running such a thing in isolation any more, since most serious attacs nowadays are distributed slow attacks. To stop those we’d need a distributed approach, like taking port 22 hits from dshield.org.

I don’t have much time for IT-security work anymore, so the idea is hereby put into the public domain.

By: Nerd Gene » Blog Archive » Prevent port scans and SSH brute force

Nerd Gene » Blog Archive » Prevent port scans and SSH brute force — Fri, 19 Dec 2008 19:11:12 +0000

[...] the influx of reports about botnets doing SSH brute force attacks, I decided to check my own server logs. Sure enough, I [...]

By: Chinese Sandwich Babies Take Over Duh Interwebs | We Break Things

Chinese Sandwich Babies Take Over Duh Interwebs | We Break Things — Fri, 19 Dec 2008 15:31:00 +0000

[...] [3] http://edwardlucas.blogspot.com/2008/12/cyberwarfare.html [4] http://asert.arbornetworks.com/2008/12/distributed-ssh-brute-force-attacks/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]

By: The Linux Mint Blog » Blog Archive » The Mint Newsletter - issue 69

The Linux Mint Blog » Blog Archive » The Mint Newsletter - issue 69 — Mon, 15 Dec 2008 21:37:10 +0000

[...] SSH Brute Force Attacks confounds [...]

By: Matthew Walker

Matthew Walker — Tue, 09 Dec 2008 23:52:55 +0000

We’ve been seeing this on our production network for a while; and most recently they actually been successful against two of our exposed research boxes that I was silly enough to leave with weak username/password combinations on accounts with wheel. The funny thing that we’re still looking into at my lab is that although the two boxes were compromised at the same time; they do different things, one seemingly just acts as an IRC relay node, and the other was actually actively attacking servers in Brazil. Luckily the rest of our exposed boxes did not have such vulnerabilities.

By: mokum von Amsterdam

mokum von Amsterdam — Tue, 09 Dec 2008 09:37:08 +0000

This is going on a long time already.

I picked this up in May 2008 and certainly was not the first.
http://mokumvonamsterdam.blogspot.com/2008/05/ssh-brute-force-botnet.html

Good you get the ‘news’ out in the open again, never too much attention for issues like these.

Denyhosts is doing a pretty decent job of keeping your /etc/hosts.deny up to date, give it a try.

By: t

Tue, 09 Dec 2008 08:15:57 +0000

By changing the default SSH port to something different say 222 or 1022 one can add one step for attacker – port identification. I wonder if or how much that helps, is there anyone with the relevant setup/experience/data ?
(probably you can setup port rotating by month – january 1010, february 1011, etc ;)

By: Brute force SSH attack confounds defenders | H_acktivis_T

Brute force SSH attack confounds defenders | H_acktivis_T — Mon, 08 Dec 2008 19:33:57 +0000

[...] have been applied to mitigate the attack, but these are only partially successful, Arbor Networks warned on [...]

By: Jay Maynard

Jay Maynard — Mon, 08 Dec 2008 12:52:43 +0000

I’ve installed DenyHosts and enabled its distributed blacklist maintenance function. It’s stopped this attack cold at my system; I only get an attempt a day, maybe, from the botnet that it doesn’t stop.

By: Koos van den Hout

Koos van den Hout — Mon, 08 Dec 2008 12:35:05 +0000

I think this started around November 21 – 22 of 2008. I already saw a few distributed ssh attacks before but this was the first with exact timed coordination. I saw newsposts of people with the same username being tried within seconds from when it was in my logs. Comparing 2 hosts with adjacent IPs yielded the same IP trying the same names.

(I also mentioned the coordination at http://idefix.net/~koos/newsitem.cgi/1227707752 )

I did firewall all IPs trying invalid usernames after a while, this mostly shut up the attempts, making me think the size of the attacking network is not unlimited.