[Dshield] SSH Bots

Jim McMillan JMcMillan at bepc.com
Tue Mar 7 03:14:49 GMT 2006


I have not heard of this attack.

We do use a commercial product that allows us to leverage our Active Directory users and groups on our Solaris and Red Hat Enterprise systems with Kerberos authentication.  The product is called VAS (Vintella Authentication Services) and is now owned by Quest Software (I think).  We have been using it for about 8 months, so far-so good.  I do not know if there are any open source distributions.  The cost was relatively low, at least from our perspective and budget.

Best Regards,
Jim


-----Original Message-----
From: list-bounces at lists.dshield.org on behalf of Jon R. Kibler
Sent: Mon 3/6/2006 2:50 PM
Subject: [Dshield] SSH Bots
 
Greetings,

We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh. 

When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths. 

Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?

So, I guess it is time to change all of our ssh passwords to 15 or 16 chars! 

Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?

I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?

Thanks!
Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.




More information about the list mailing list