[Intrusions] Re: SSH brute forcers

Wed Jun 1 00:20:19 GMT 2005

are we talking here about a spreading attack? more and more computers
assisting in the compromising of more computers spreading the attack
themselves afterwards?

ummm. I should check *my* logs...

On 5/31/05, Smith, Donald <Donald.Smith at qwest.com> wrote:
> I must echo Scott's question and make a comment.
> How many of the bruteforce ssh IPs do you report to the ISPs?
> 
> My comment is we as a community are FAILING!
> Every bruteforce password guessing sshd attempt I have tracked/seen went
> to a host that was compromised via bruteforce password guessing. I think
> this continues to grow because we don't report them soon enough. If you
> get a host attempting brute force sshd you should report it asap. It is
> not spoofed. If we report enough of them eventually we should run into
> the first hop system. From that system the actual hacker could be
> traced.
> 
> We as a community should be able to quickly report and respond to these
> if we did we would be winning rather then loosing this battle.
> 
> I know there are lots of ways to automatically turn these away with
> syslog to ipfilters and other similar "ips" like tools. Perhaps a good
> autoreporting tool could assist us in this effort.
> 
> 
> donald.smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org 
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott Mcintyre
> > Sent: Monday, May 30, 2005 2:11 PM
> > To: Intrusions List (GCIA Practicals)
> > Subject: Re: [Intrusions] SSH brute forcers
> > 
> > 
> > How many of the ips do you actualy report to the isps?
> > 
> > BruteForcing in general should not be much of a problem, 
> > install brute 
> > force detectors, theres lots out there.  Even if someone does brute 
> > force you for a reason, you should not have anything to worry about 
> > providing you use strong passwords.
> > 
> > > WOOOHOOO.  Its getting to the point that the SSH brute 
> > force attmepts
> > > on the 2 servers I am working on atm are coming at 4 to 8 times a 
> > day,
> > > no reasoning behind the number of attempts yet either.
> > > 
> > > Jim McCullough
> > > 
> > > On 5/28/05, DHoelzer at cyber-defense.org <DHoelzer at cyber-defense.org> 
> > wrote:
> > > > I've been automatically shunning SSH brute forcers for several 
> > months now
> > > > but I've recently decided to become a bit more aggressive.  I am 
> > now
> > > > publishing a blacklist populated by known SSH 
> > bruteforcing sources 
> > on my
> > > > site that is updated every minute based on my own detects from 
> > several
> > > > sites.  If you have any addresses to contribute please send them 
> > my way.
> > > > Feel free to grab a copy of the list if you want to populate your 
> > ACLs
> > > > which is what I'm doing for my customers.
> > > > 
> > > > Best regards
> > > > -----------------------------------------------------
> > > > David Hoelzer
> > > > Cyber-Defense.org
> > > > http://www.cyber-defense.org/CV.html
> > > > _______________________________________________
> > > > Intrusions mailing list
> > > > Intrusions at lists.sans.org
> > > > http://www.dshield.org/mailman/listinfo/intrusions
> > > > 
> > > 
> > > 
> > > -- 
> > > Jim McCullough
> > > 
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > > 
> > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 

-- 
have a nice day

mimithebrain