[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C1A1A46.1070801@baribault.net>
Date: Thu, 17 Jun 2010 08:51:18 -0400
From: Gary Baribault <gary@...ibault.net>
To: Adam Richards <adam.richards@...mln.com>,
full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks
Did you ever figure out if YOU where targeted or if someone just liked
your box? In my case I have two servers within one IP block for the
cable modem provider, and in the past BOTH boxes where always attacked
together, which indicated that it was probably the entire ISP that was
targeted. In this case it's only one of my boxes.
I'm not particularly worried, root is not allowed, and on that box
there is only one valid UID that's allowed SSH access.
Gary Baribault
Courriel: gary@...ibault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
On 06/17/2010 08:37 AM, Adam Richards wrote:
> I had an attacker go after one of my FreeBSD machines for almost two
> months straight. I wrote my own denyhost (like) script and banned his
> IP's constantly, but it didn't stop until he ran out of proxies I guess.
> Either that or it was busy season for my ip block.
>
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Gary
> Baribault
> Sent: Thursday, June 17, 2010 6:48 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] targetted SSH bruteforce attacks
>
> Hello list,
>
> I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
>
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault
> Courriel: gary@...ibault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists