lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Jun 2010 11:45:22 -0400
From: Gary Baribault <gary@...ibault.net>
To: Benji <me@...ji.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

What the question was asking was 'is anyone else' having one machine
attacked in particular as opposed to all of their machines.

What I explained in the original post was that in all past instances
(many times a day, every day) when one machine is attacked, the other
is as well, since they are close to each other on a major cable modem
ISP. In this case only one of the machines is being attacked, and it's
a relatively stealthy attack.

So the question is if anyone else is seeing the same type of activity.

Gary Baribault
Courriel: gary@...ibault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 11:04 AM, Benji wrote:
> What?
>
> Think about what you said.
>
> Anyone. else. seeing. a. targetted. attack.
>
> Why would anyone else see a TARGETTED attack?
>
> anyway, no, you're not special, distributed SSH bruteforce is normal.
>
>
> On Thu, Jun 17, 2010 at 1:44 PM, Gary Baribault <gary@...ibault.net> wrote:
>> I just knew that people would say that, and that's why I specified
>> that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
>> interesting to see new types of attacks. The question here is whether
>> anyone else is seeing such a targeted attack.
>>
>> Gary Baribault
>> Courriel: gary@...ibault.net
>> GPG Key: 0x685430d1
>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>>
>>
>> On 06/17/2010 08:28 AM, dink@...inkydink.com wrote:
>>>
>>> Have you ever considered obfuscated-openssh?
>>>
>>> http://github.com/brl/obfuscated-openssh
>>>
>>> I have a modified version of PuTTY available for it...
>>>
>>> http://www.mrhinkydink.com/potty.htm
>>>
>>> Still... you should change the freakin' port.
>>>
>>> -------- Original Message -------- Subject: [Full-disclosure]
>>> targetted SSH bruteforce attacks From: Gary Baribault
>>> <gary@...ibault.net> Date: Thu, June 17, 2010 7:48 am To:
>>> full-disclosure@...ts.grok.org.uk
>>>
>>> Hello list,
>>>
>>> I have a strange situation and would like information from the list
>>> members. I have three Linux boxes exposed to the Internet. Two of
>>> them are on cable modems, and both have two services that are
>>> publicly available. In both cases, I have SSH and named running and
>>> available to the public. Before you folks say it, yes I run SSH on
>>> TCP/22 and no I don't want to move it to another port, and no I
>>> don't want to restrict it to certain source IPs.
>>>
>>> Both of these systems are within one /21 and get attacked
>>> regularly. I run Denyhosts on them, and update the central server
>>> once an hour with attacking IPs, and obviously also download the
>>> public hosts.deny list.
>>>
>>> These machines get hit regularly, so often that I don't really
>>> care, it's fun to make the script kiddies waste their time! But in
>>> this instance, only my home box is being attacked... someone is
>>> burning a lot of cycles and hosts to do a distributed dictionary
>>> attack on my one box! The named daemon is non recursive, properly
>>> configured, up to date and not being attacked.
>>>
>>> Is anyone else seeing this type of attack? Or is someone really
>>> targeting MY box?
>>>
>>> Thanks
>>>
>>>
>>> Gary Baribault Courriel: gary@...ibault.net GPG Key: 0x685430d1
>>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>>>
>>> _______________________________________________ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists