[Dshield] SSH Bots

Jon R. Kibler Jon.Kibler at aset.com
Mon Mar 6 20:50:24 GMT 2006


We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh. 

When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths. 

Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?

So, I guess it is time to change all of our ssh passwords to 15 or 16 chars! 

Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?

I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?

Jon Kibler
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list