[Dshield] SSH Bots
rich at rakich.net
Tue Mar 7 00:37:24 GMT 2006
I have been having such attacks on my Linux box at home, sometimes up to
1500 attempts a day against various usernames. So far they have not been
successful. I currently have ssh configured with PAM auth, all ssh attempts
logged and monitored on a daily basis just to make sure they stay out.
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
> Sent: Monday, March 06, 2006 3:50 PM
> Subject: [Dshield] SSH Bots
> We got a new phishing email this morning (so, what else is
> new?) that resulted in my learning of a new attack (well, at
> least new to me) against ssh.
> When I contacted the system's netblock owner, they indicated
> that the compromised box was a MacOS/X system and they had
> already shut down the box. I got to talking to their security
> person and he indicated that the box was compromised via a
> brute force ssh attack. Apparently, there are botnets that do
> distributed brute force ssh attacks, hitting on all possible
> combinations of password characters up through 14 character lengths.
> Anyone else heard of and/or been a victim of this attack? If
> so, would you be willing to share the details and new
> countermeasures implemented?
> So, I guess it is time to change all of our ssh passwords to
> 15 or 16 chars!
> Or, I seem to remember that MD5 hashed *nix passwords can be
> up to 128 chars... so maybe our passwords should now become
> I guess what is really needed is some PAM-based
> authentication failure account lockout schema. I don't see
> any modules to this in default FC/4 or Solaris 9/10 distros.
> Anyone know if this can be done and/or how to do it?
> Jon Kibler
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC USA
> (843) 849-8214
> Filtered by: TRUSTEM.COM's Email Filtering Service
> No Spam. No Viruses. Just Good Clean Email.
More information about the list