[Intrusions] SSH brute forcers

Wed Jun 1 16:01:37 GMT 2005

My question was originally to Jim McCullough and to the list in general.

I believe many of us do report abuse including ssh brute force attacks.
I believe corporations SHOULD blackhole sites and even netblocks when
they believe the risk from their network
is greater then the benefit of communicating with those networks.
I believe shared blacklists work. I use them myself and support several
of them.

I don't think ISPs should block valid netblocks unless they are
mitigating an actual virus, malware, ddos attack, phishing site etc...
and then they should block the smallest netblock (/32) possible.

Many ISPs use URPF or other BCP38 techniques to block bogon and dark ip
networks so hopefully there are a lot less attacks from 192.168.1.1 or
10.1.1.1 etc...
Not all ISPs do this.

Last but NOT least. I respect Mr. Hoelzer professionally, he and I have
our own brains and will therefore have differences in opinions at
times:) I welcome those differences it wouldn't be much fun if we agreed
on everything.

donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> DHoelzer at cyber-defense.org
> Sent: Tuesday, May 31, 2005 4:38 PM
> To: Intrusions List (GCIA Practicals)
> Subject: RE: [Intrusions] SSH brute forcers
> 
> 
> At this point I'm not entirely sure who these is directed to.
> 
> <soapbox>
> Of course I report.  My systems were originally sending 
> auto-reports to 
> ISPs and block owners.  I'm personally very tired of hearing, 
> "We don't 
> have time to track down scanners" regardless of the fact that 
> we all know 
> the scans are coming from compromised machines.  You can do 
> whatever you 
> like, but the decision for my corporation and for my clients is to 
> escalate through blacklisting.  More than one of my customers 
> has pretty 
> much all of China blocked, not because they want to, but 
> because they are 
> simply tired of sending reports with no action by any 
> provider, upstream 
> or not.
> 
> This comes down to survival of the fittest:  I'm immensely 
> more interested 
> in protecting my hosts than I am in protecting yours, 
> especially when the 
> you in yours don't seem to care that they have been 
> compromised.  This 
> comes back to the question that I invariably get whenever I teach an 
> intrusion detection course:  "But how can 192.168.1.1 come at 
> you from the 
> Internet.  Don't ISPs block those addresses?"
> </soapbox>
> 
> -----------------------------------------------------
> David Hoelzer
> Cyber-Defense.org
> http://www.cyber-defense.org/CV.html
> 
> 
> 
> "Smith, Donald" <Donald.Smith at qwest.com> 
> Sent by: intrusions-bounces at lists.sans.org
> 05/31/2005 12:50 PM
> Please respond to
> "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
> 
> 
> To
> "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
> cc
> 
> Subject
> RE: [Intrusions] SSH brute forcers
> 
> 
> 
> 
> 
> 
> I must echo Scott's question and make a comment.
> How many of the bruteforce ssh IPs do you report to the ISPs?
> 
> My comment is we as a community are FAILING!
> Every bruteforce password guessing sshd attempt I have 
> tracked/seen went
> to a host that was compromised via bruteforce password 
> guessing. I think
> this continues to grow because we don't report them soon 
> enough. If you
> get a host attempting brute force sshd you should report it 
> asap. It is
> not spoofed. If we report enough of them eventually we should run into
> the first hop system. From that system the actual hacker could be
> traced.
> 
> We as a community should be able to quickly report and 
> respond to these
> if we did we would be winning rather then loosing this battle.
> 
> I know there are lots of ways to automatically turn these away with
> syslog to ipfilters and other similar "ips" like tools. Perhaps a good
> autoreporting tool could assist us in this effort.
> 
> 
> donald.smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org 
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> Scott Mcintyre
> > Sent: Monday, May 30, 2005 2:11 PM
> > To: Intrusions List (GCIA Practicals)
> > Subject: Re: [Intrusions] SSH brute forcers
> > 
> > 
> > How many of the ips do you actualy report to the isps?
> > 
> > BruteForcing in general should not be much of a problem, 
> > install brute 
> > force detectors, theres lots out there.  Even if someone does brute 
> > force you for a reason, you should not have anything to worry about 
> > providing you use strong passwords.
> > 
> > > WOOOHOOO.  Its getting to the point that the SSH brute 
> > force attmepts
> > > on the 2 servers I am working on atm are coming at 4 to 8 times a 
> > day,
> > > no reasoning behind the number of attempts yet either.
> > > 
> > > Jim McCullough
> > > 
> > > On 5/28/05, DHoelzer at cyber-defense.org 
> <DHoelzer at cyber-defense.org> 
> > wrote:
> > > > I've been automatically shunning SSH brute forcers for several 
> > months now
> > > > but I've recently decided to become a bit more 
> aggressive.  I am 
> > now
> > > > publishing a blacklist populated by known SSH 
> > bruteforcing sources 
> > on my
> > > > site that is updated every minute based on my own detects from 
> > several
> > > > sites.  If you have any addresses to contribute please 
> send them 
> > my way.
> > > > Feel free to grab a copy of the list if you want to 
> populate your 
> > ACLs
> > > > which is what I'm doing for my customers.
> > > > 
> > > > Best regards
> > > > -----------------------------------------------------
> > > > David Hoelzer
> > > > Cyber-Defense.org
> > > > http://www.cyber-defense.org/CV.html
> > > > _______________________________________________
> > > > Intrusions mailing list
> > > > Intrusions at lists.sans.org
> > > > http://www.dshield.org/mailman/listinfo/intrusions
> > > > 
> > > 
> > > 
> > > -- 
> > > Jim McCullough
> > > 
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > > 
> > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 