| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jun 2010 10:15:15 -0400
From: Valdis.Kletnieks@...edu
To: Gary Baribault <gary@...ibault.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks
On Thu, 17 Jun 2010 07:48:18 EDT, Gary Baribault said:
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box!
One of two things springs to mind:
1) when they scanned your address space looking for SSH hosts to try to
whack, your one host didn't report as a target for some random reason.
2) they're handling their list of targets in a pseudo-random order. We've
seen attacking IPs pound on 2 or 3 hosts in our /16 for a few days, then go
away, and 2-3 weeks later return to pound on other targets.
Bottom line: Either they didn't notice your other box, or they'll get around
to poking it in a few weeks...
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists