lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 Jun 2010 08:47:00 -0400
From: Gary Baribault <gary@...ibault.net>
To: Gregory Bellier <gregory.bellier@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

My Denyhosts daemon is configured pretty much like that, but it uses
TCP Wrapper (hosts.deny) instead of the firewall and it uploads the
attacking IPs to a central server every hour for other Denyhosts users.

Gary Baribault
Courriel: gary@...ibault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 06/17/2010 08:32 AM, Gregory Bellier wrote:
> Hi !
>
> Most of the time (to not say everytime), it's a bot and not a human
> behind those attacks.
> I configured my firewall to ban for a minute every IPs trying to log
> in with 5 wrong attempts.
> Once it's banned, the bot tries one or two more times and then give up.
>
> It's pretty much effective.
>
> 
>
> 2010/6/17 Gary Baribault <gary@...ibault.net
> <mailto:gary@...ibault.net>>
>
>     Hello list,
>
>        I have a strange situation and would like information from the
>     list members. I have three Linux boxes exposed to the Internet.
>     Two of
>     them are on cable modems, and both have two services that are
>     publicly
>     available. In both cases, I have SSH and named running and available
>     to the public. Before you folks say it, yes I run SSH on TCP/22
>     and no
>     I don't want to move it to another port, and no I don't want to
>     restrict it to certain source IPs.
>
>        Both of these systems are within one /21 and get attacked
>     regularly. I run Denyhosts on them, and update the central
>     server once
>     an hour with attacking IPs, and obviously also download the public
>     hosts.deny list.
>
>        These machines get hit regularly, so often that I don't really
>     care, it's fun to make the script kiddies waste their time! But in
>     this instance, only my home box is being attacked... someone is
>     burning a lot of cycles and hosts to do a distributed dictionary
>     attack on my one box! The named daemon is non recursive, properly
>     configured, up to date and not being attacked.
>
>        Is anyone else seeing this type of attack? Or is someone really
>     targeting MY box?
>
>     Thanks
>
>
>     Gary Baribault
>     Courriel: gary@...ibault.net <mailto:gary@...ibault.net>
>     GPG Key: 0x685430d1
>     Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
>
>


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ