[Dshield] SSH Bots
dshield at oitc.com
Tue Mar 7 00:00:33 GMT 2006
At 3:50 PM -0500 3/6/06, Jon R. Kibler wrote:
>We got a new phishing email this morning (so, what else is new?)
>that resulted in my learning of a new attack (well, at least new to
>me) against ssh.
>When I contacted the system's netblock owner, they indicated that
>the compromised box was a MacOS/X system and they had already shut
>down the box. I got to talking to their security person and he
>indicated that the box was compromised via a brute force ssh attack.
>Apparently, there are botnets that do distributed brute force ssh
>attacks, hitting on all possible combinations of password characters
>up through 14 character lengths.
>Anyone else heard of and/or been a victim of this attack? If so,
>would you be willing to share the details and new countermeasures
>So, I guess it is time to change all of our ssh passwords to 15 or 16 chars!
>Or, I seem to remember that MD5 hashed *nix passwords can be up to
>128 chars... so maybe our passwords should now become paragraphs?
>I guess what is really needed is some PAM-based authentication
>failure account lockout schema. I don't see any modules to this in
>default FC/4 or Solaris 9/10 distros. Anyone know if this can be
>done and/or how to do it?
1 Allow only protocol 2
2 Do not allow root login as it gives a guaranteed account to brute force on
3 We block SSH from all but selected IPs (During trips we can
temporarily add allowable IPs via VPN.)
4 We do not allow passwords. All logons are with shared keys.
Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax),
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com
More information about the list