[Intrusions] SSH brute forcers

Smith, Donald Donald.Smith at qwest.com
Thu Jun 2 22:21:29 GMT 2005 


donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> ebios at ebios.wnaft.agh.edu.pl
> Sent: Thursday, June 02, 2005 3:18 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] SSH brute forcers
> 
> 
> 
> Hello
> 
> Well, I think that major problem while blacklisting is dealing with 
> dynamic IPs. Filtering them out of huge logs is legitimate under 1 
> condition - the responsable ISP shall undertake proper 
> measures to track 
> the offender or at least block the unique MAC address on its router.

Most of us do. I can not speak for all ISPs nor even for qwest.
But here are some general comments.

Most dynamic IPs are tracked back to an account not a MAC. 
To do that we need the ip, logs (proof) and time stamps with Timezone
info.

Depending on the ISP's AUP users may get several warnings before being
disabled.
Depending on the ISP's abuse staff load this might take a day or two.

> If not, actually there is no point to blacklist dyn IPs unless we ban 
> whole address family/domain.
> IMHO there is no point to be open worldwidely on all ports our box is 
> listening to. By using tcpwrappers we can authorize pointed 
> hosts or whole 
> domains with a priori specified ident to access chosen 
> services, all other 
> traffic being wiped away with RST.
> Actually I do have in /etc/hosts.deny ALL:ALL statement, while 
> /etc/hosts.allow enable some trusted hosts to access some services.
> It is up to sysop to decide which services are allowed for 
> all, which are 
> restricted to localhost, and which are accessible from 
> several trusted 
> machines [with static IP or dyn IP with previously defined ident].

Agreed.

> 
> Best regards
> Wojciech Krolik
> 
> 
> On Wed, 1 Jun 2005, Joel Esler wrote:
> 
> > I get about 10 -20 attempts on my box (different IP's) all adding up
> > to about 200-300 attempts per day.  I don't know if it's 
> because it's
> > on my blog, or people just really want access to my box.  Have no
> > idea...
> >
> > But I would love to blackhole them.  I think I can automate that...
> > Where should I send them?  Here?
> >
> > Joel
> >
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list