[Intrusions] SSH brute forcers

Scott Mcintyre security at isnnetworks.net
Tue May 31 21:51:08 GMT 2005 

I agree, I have been thinking lately about making servers "stream" 
there logs, so you can pick up bruteforcers.

and then have some sort of auto reporting.

> I must echo Scott's question and make a comment.
> How many of the bruteforce ssh IPs do you report to the ISPs?
> 
> My comment is we as a community are FAILING!
> Every bruteforce password guessing sshd attempt I have tracked/seen 
went
> to a host that was compromised via bruteforce password guessing. I 
think
> this continues to grow because we don't report them soon enough. If 
you
> get a host attempting brute force sshd you should report it asap. It 
is
> not spoofed. If we report enough of them eventually we should run 
into
> the first hop system. From that system the actual hacker could be
> traced.
> 
> We as a community should be able to quickly report and respond to 
these
> if we did we would be winning rather then loosing this battle.
> 
> I know there are lots of ways to automatically turn these away with
> syslog to ipfilters and other similar "ips" like tools. Perhaps a 
good
> autoreporting tool could assist us in this effort.
> 
> 
> donald.smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org 
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott 
Mcintyre
> > Sent: Monday, May 30, 2005 2:11 PM
> > To: Intrusions List (GCIA Practicals)
> > Subject: Re: [Intrusions] SSH brute forcers
> > 
> > 
> > How many of the ips do you actualy report to the isps?
> > 
> > BruteForcing in general should not be much of a problem, 
> > install brute 
> > force detectors, theres lots out there.  Even if someone does 
brute 
> > force you for a reason, you should not have anything to worry 
about 
> > providing you use strong passwords.
> > 
> > > WOOOHOOO.  Its getting to the point that the SSH brute 
> > force attmepts
> > > on the 2 servers I am working on atm are coming at 4 to 8 times 
a 
> > day,
> > > no reasoning behind the number of attempts yet either.
> > > 
> > > Jim McCullough
> > > 
> > > On 5/28/05, DHoelzer at cyber-defense.org <DHoelzer at cyber-
defense.org> 
> > wrote:
> > > > I've been automatically shunning SSH brute forcers for several 
> > months now
> > > > but I've recently decided to become a bit more aggressive.  I 
am 
> > now
> > > > publishing a blacklist populated by known SSH 
> > bruteforcing sources 
> > on my
> > > > site that is updated every minute based on my own detects from 
> > several
> > > > sites.  If you have any addresses to contribute please send 
them 
> > my way.
> > > > Feel free to grab a copy of the list if you want to populate 
your 
> > ACLs
> > > > which is what I'm doing for my customers.
> > > > 
> > > > Best regards
> > > > -----------------------------------------------------
> > > > David Hoelzer
> > > > Cyber-Defense.org
> > > > http://www.cyber-defense.org/CV.html
> > > > _______________________________________________
> > > > Intrusions mailing list
> > > > Intrusions at lists.sans.org
> > > > http://www.dshield.org/mailman/listinfo/intrusions
> > > > 
> > > 
> > > 
> > > -- 
> > > Jim McCullough
> > > 
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > > 
> > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
>

More information about the Intrusions mailing list