lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C223B9D.8020009@hawkhost.com>
Date: Wed, 23 Jun 2010 12:51:41 -0400
From: Cody Robertson <cody@...khost.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

On 6/23/10 12:38 PM, Gary Baribault wrote:
> In this attack, there's no need to throttle, the attacking computers hit
> it once every 15 seconds or so from many different sources. My denyhosts
> is not blocking 99.999% of the attempts.
> 
> Gary Baribault
> Courriel: gary@...ibault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
> 
> 
> On 06/23/2010 12:33 PM, Cody Robertson wrote:
>> On 6/23/10 4:22 AM, yersinia wrote:
>>   
>>> On Thu, Jun 17, 2010 at 4:21 PM, Samuel Martín Moro <faust64@...il.com>wrote:
>>>
>>>     
>>>> I also don't want to change my ssh port, nor restrict incoming IPs, ... and
>>>> I use keys only to log in without entering password.
>>>> So you're not alone.
>>>> I had my IP changed several times, my servers are only hosting personal
>>>> data.
>>>> But I'm still seeing bruteforce attemps in my logs.
>>>>
>>>> Here's something I use on my servers.
>>>> In cron, every 5-10 minutes, that should do it.
>>>> Of course, if you're running *BSD, pf is way more interesting to do that.
>>>>
>>>> Perhaps could be better to use something standard as fail2ban
>>>>       
>>> http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>     
>> If you have iptables it has ways you can do this throttle too many
>> connections within a specified period. I much prefer using something
>> such as this over third party software.
>>
>> I'm sure you can do this in PF however I'm not familiar with it enough
>> to be certain (I'd be surprised if you couldn't however).
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>   
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

It tends to vary for my machines however it still catches quite a bit of
throttling. Regardless it was just a recommendation to avoid using third
party software for something so trivial.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ