lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C1A18B7.1080802@baribault.net>
Date: Thu, 17 Jun 2010 08:44:39 -0400
From: Gary Baribault <gary@...ibault.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

I just knew that people would say that, and that's why I specified
that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
interesting to see new types of attacks. The question here is whether
anyone else is seeing such a targeted attack.

Gary Baribault
Courriel: gary@...ibault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 08:28 AM, dink@...inkydink.com wrote:
>
> Have you ever considered obfuscated-openssh?
>
> http://github.com/brl/obfuscated-openssh
>
> I have a modified version of PuTTY available for it...
>
> http://www.mrhinkydink.com/potty.htm
>
> Still... you should change the freakin' port.
>
> -------- Original Message -------- Subject: [Full-disclosure]
> targetted SSH bruteforce attacks From: Gary Baribault
> <gary@...ibault.net> Date: Thu, June 17, 2010 7:48 am To:
> full-disclosure@...ts.grok.org.uk
>
> Hello list,
>
> I have a strange situation and would like information from the list
> members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are
> publicly available. In both cases, I have SSH and named running and
> available to the public. Before you folks say it, yes I run SSH on
> TCP/22 and no I don't want to move it to another port, and no I
> don't want to restrict it to certain source IPs.
>
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server
> once an hour with attacking IPs, and obviously also download the
> public hosts.deny list.
>
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault Courriel: gary@...ibault.net GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ