[Dshield] SSH Bots

Rich Rakich rich at rakich.net
Tue Mar 7 00:37:24 GMT 2006

 I have been having such attacks on my Linux box at home, sometimes up to
1500 attempts a day against various usernames.  So far they have not been
successful.  I currently have ssh configured with PAM auth, all ssh attempts
logged and monitored on a daily basis just to make sure they stay out.

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
> Sent: Monday, March 06, 2006 3:50 PM
> Subject: [Dshield] SSH Bots
> Greetings,
> We got a new phishing email this morning (so, what else is 
> new?) that resulted in my learning of a new attack (well, at 
> least new to me) against ssh. 
> When I contacted the system's netblock owner, they indicated 
> that the compromised box was a MacOS/X system and they had 
> already shut down the box. I got to talking to their security 
> person and he indicated that the box was compromised via a 
> brute force ssh attack. Apparently, there are botnets that do 
> distributed brute force ssh attacks, hitting on all possible 
> combinations of password characters up through 14 character lengths. 
> Anyone else heard of and/or been a victim of this attack? If 
> so, would you be willing to share the details and new 
> countermeasures implemented?
> So, I guess it is time to change all of our ssh passwords to 
> 15 or 16 chars! 
> Or, I seem to remember that MD5 hashed *nix passwords can be 
> up to 128 chars... so maybe our passwords should now become 
> paragraphs?
> I guess what is really needed is some PAM-based 
> authentication failure account lockout schema. I don't see 
> any modules to this in default FC/4 or Solaris 9/10 distros. 
> Anyone know if this can be done and/or how to do it?
> Thanks!
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list