[Intrusions] SSH brute forcers

Smith, Donald Donald.Smith at qwest.com
Tue May 31 19:50:13 GMT 2005 

I must echo Scott's question and make a comment.
How many of the bruteforce ssh IPs do you report to the ISPs?

My comment is we as a community are FAILING!
Every bruteforce password guessing sshd attempt I have tracked/seen went
to a host that was compromised via bruteforce password guessing. I think
this continues to grow because we don't report them soon enough. If you
get a host attempting brute force sshd you should report it asap. It is
not spoofed. If we report enough of them eventually we should run into
the first hop system. From that system the actual hacker could be
traced.

We as a community should be able to quickly report and respond to these
if we did we would be winning rather then loosing this battle.

I know there are lots of ways to automatically turn these away with
syslog to ipfilters and other similar "ips" like tools. Perhaps a good
autoreporting tool could assist us in this effort.


donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott Mcintyre
> Sent: Monday, May 30, 2005 2:11 PM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] SSH brute forcers
> 
> 
> How many of the ips do you actualy report to the isps?
> 
> BruteForcing in general should not be much of a problem, 
> install brute 
> force detectors, theres lots out there.  Even if someone does brute 
> force you for a reason, you should not have anything to worry about 
> providing you use strong passwords.
> 
> > WOOOHOOO.  Its getting to the point that the SSH brute 
> force attmepts
> > on the 2 servers I am working on atm are coming at 4 to 8 times a 
> day,
> > no reasoning behind the number of attempts yet either.
> > 
> > Jim McCullough
> > 
> > On 5/28/05, DHoelzer at cyber-defense.org <DHoelzer at cyber-defense.org> 
> wrote:
> > > I've been automatically shunning SSH brute forcers for several 
> months now
> > > but I've recently decided to become a bit more aggressive.  I am 
> now
> > > publishing a blacklist populated by known SSH 
> bruteforcing sources 
> on my
> > > site that is updated every minute based on my own detects from 
> several
> > > sites.  If you have any addresses to contribute please send them 
> my way.
> > > Feel free to grab a copy of the list if you want to populate your 
> ACLs
> > > which is what I'm doing for my customers.
> > > 
> > > Best regards
> > > -----------------------------------------------------
> > > David Hoelzer
> > > Cyber-Defense.org
> > > http://www.cyber-defense.org/CV.html
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > 
> > 
> > -- 
> > Jim McCullough
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> > 
> 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list