[Dshield] SSH Bots

Tom dshield at oitc.com
Tue Mar 7 00:00:33 GMT 2006

At 3:50 PM -0500 3/6/06, Jon R. Kibler wrote:
>We got a new phishing email this morning (so, what else is new?) 
>that resulted in my learning of a new attack (well, at least new to 
>me) against ssh.
>When I contacted the system's netblock owner, they indicated that 
>the compromised box was a MacOS/X system and they had already shut 
>down the box. I got to talking to their security person and he 
>indicated that the box was compromised via a brute force ssh attack. 
>Apparently, there are botnets that do distributed brute force ssh 
>attacks, hitting on all possible combinations of password characters 
>up through 14 character lengths.
>Anyone else heard of and/or been a victim of this attack? If so, 
>would you be willing to share the details and new countermeasures 
>So, I guess it is time to change all of our ssh passwords to 15 or 16 chars!
>Or, I seem to remember that MD5 hashed *nix passwords can be up to 
>128 chars... so maybe our passwords should now become paragraphs?
>I guess what is really needed is some PAM-based authentication 
>failure account lockout schema. I don't see any modules to this in 
>default FC/4 or Solaris 9/10 distros. Anyone know if this can be 
>done and/or how to do it?

1 Allow only protocol 2
2 Do not allow root login as it gives a guaranteed account to brute force on
3 We block SSH from all but selected IPs (During trips we can 
temporarily add allowable IPs via VPN.)
4 We do not allow passwords. All logons are with shared keys.


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
skype: trshaw

More information about the list mailing list