[Intrusions] SSH brute forcers

DHoelzer at cyber-defense.org DHoelzer at cyber-defense.org
Tue May 31 22:38:05 GMT 2005 

At this point I'm not entirely sure who these is directed to.

<soapbox>
Of course I report.  My systems were originally sending auto-reports to 
ISPs and block owners.  I'm personally very tired of hearing, "We don't 
have time to track down scanners" regardless of the fact that we all know 
the scans are coming from compromised machines.  You can do whatever you 
like, but the decision for my corporation and for my clients is to 
escalate through blacklisting.  More than one of my customers has pretty 
much all of China blocked, not because they want to, but because they are 
simply tired of sending reports with no action by any provider, upstream 
or not.

This comes down to survival of the fittest:  I'm immensely more interested 
in protecting my hosts than I am in protecting yours, especially when the 
you in yours don't seem to care that they have been compromised.  This 
comes back to the question that I invariably get whenever I teach an 
intrusion detection course:  "But how can 192.168.1.1 come at you from the 
Internet.  Don't ISPs block those addresses?"
</soapbox>

-----------------------------------------------------
David Hoelzer
Cyber-Defense.org
http://www.cyber-defense.org/CV.html



"Smith, Donald" <Donald.Smith at qwest.com> 
Sent by: intrusions-bounces at lists.sans.org
05/31/2005 12:50 PM
Please respond to
"Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>


To
"Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
cc

Subject
RE: [Intrusions] SSH brute forcers






I must echo Scott's question and make a comment.
How many of the bruteforce ssh IPs do you report to the ISPs?

My comment is we as a community are FAILING!
Every bruteforce password guessing sshd attempt I have tracked/seen went
to a host that was compromised via bruteforce password guessing. I think
this continues to grow because we don't report them soon enough. If you
get a host attempting brute force sshd you should report it asap. It is
not spoofed. If we report enough of them eventually we should run into
the first hop system. From that system the actual hacker could be
traced.

We as a community should be able to quickly report and respond to these
if we did we would be winning rather then loosing this battle.

I know there are lots of ways to automatically turn these away with
syslog to ipfilters and other similar "ips" like tools. Perhaps a good
autoreporting tool could assist us in this effort.


donald.smith at qwest.com giac 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Scott Mcintyre
> Sent: Monday, May 30, 2005 2:11 PM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] SSH brute forcers
> 
> 
> How many of the ips do you actualy report to the isps?
> 
> BruteForcing in general should not be much of a problem, 
> install brute 
> force detectors, theres lots out there.  Even if someone does brute 
> force you for a reason, you should not have anything to worry about 
> providing you use strong passwords.
> 
> > WOOOHOOO.  Its getting to the point that the SSH brute 
> force attmepts
> > on the 2 servers I am working on atm are coming at 4 to 8 times a 
> day,
> > no reasoning behind the number of attempts yet either.
> > 
> > Jim McCullough
> > 
> > On 5/28/05, DHoelzer at cyber-defense.org <DHoelzer at cyber-defense.org> 
> wrote:
> > > I've been automatically shunning SSH brute forcers for several 
> months now
> > > but I've recently decided to become a bit more aggressive.  I am 
> now
> > > publishing a blacklist populated by known SSH 
> bruteforcing sources 
> on my
> > > site that is updated every minute based on my own detects from 
> several
> > > sites.  If you have any addresses to contribute please send them 
> my way.
> > > Feel free to grab a copy of the list if you want to populate your 
> ACLs
> > > which is what I'm doing for my customers.
> > > 
> > > Best regards
> > > -----------------------------------------------------
> > > David Hoelzer
> > > Cyber-Defense.org
> > > http://www.cyber-defense.org/CV.html
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > > 
> > 
> > 
> > -- 
> > Jim McCullough
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> > 
> 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list