[Intrusions] SSH brute forcing attacks
Tina Bird
tbird at precision-guesswork.com
Tue May 17 18:21:37 GMT 2005
Hi Andrew:
> However, this assumption may not be valid ... I think we have
> had maybe
> 3 machines compromised in this way, from attacks running for weeks or
> months against hundreds of machines.
Is it possible that your systems have been included in these widespread
compromises?:
http://www.cnn.com/2005/TECH/05/10/govt.computer.hacker/index.html
(or more relevantly)
http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
> SInce we have, generally speaking, a need for legitimate
> access for users
> around the world from home, travelling or working at other
> institutions
> we allow SSH access to most non-sensitive machines.
> However, in view of these attacks I have implemented a dynamic filter
> via system-wide logging - multiple login failures across monitored
> machines will result in the source being blocked.
Multiple failures may not give you what you need, since in many cases (if
it's the same set of attackers) the passwords have already been compromised.
Before I left Stanford, we were setting up a system in which we recorded all
sources of inbound SSH connections, and generated a once-a-day report on
"never before seen" sources. We could then follow up on those.
Time-consuming, but very useful.
Marcus Ranum's written a "Never Before Seen" log parsing tool. It's
available at
http://www.ranum.com/security/computer_security/code/
HTH - tbird
More information about the Intrusions
mailing list