[Dshield] SSH Bots

lucy@lucindrea.com lucy at lucindrea.com
Tue Mar 7 04:49:53 GMT 2006

ya i see it all the time ... my nightly syslogs were showting thousands of
"invalid user" or "invalid password" to ssh accounts .. 2 soultions work
1. switch the port hat ssh works on from 22 to somthing odd like 678 or
somthing.( not the best soultion , but it does work )
2. edit the hosts.allow and hosts.deny fils to only allow ip#'s you know of.

if neither of these are an option , their are programs out their that go
into cron to run every min that will scan you logs for 4+ invalid logins
and block the ip# in iptables.

i'm thinking their is a most likely crypto key soultion also , but i dont
know enugh about the crypto to work it out , and the hosts.allow/deny
works fine for now.

i built a linux machine last week and put it on a public ip# i havent used
before .. took 2 days for it to start getting slamed .. was seeing 3000+
login attempts every few hours.

> Greetings,
> We got a new phishing email this morning (so, what else is new?) that
> resulted in my learning of a new attack (well, at least new to me) against
> ssh.
> When I contacted the system's netblock owner, they indicated that the
> compromised box was a MacOS/X system and they had already shut down the
> box. I got to talking to their security person and he indicated that the
> box was compromised via a brute force ssh attack. Apparently, there are
> botnets that do distributed brute force ssh attacks, hitting on all
> possible combinations of password characters up through 14 character
> lengths.
> Anyone else heard of and/or been a victim of this attack? If so, would you
> be willing to share the details and new countermeasures implemented?
> So, I guess it is time to change all of our ssh passwords to 15 or 16
> chars!
> Or, I seem to remember that MD5 hashed *nix passwords can be up to 128
> chars... so maybe our passwords should now become paragraphs?
> I guess what is really needed is some PAM-based authentication failure
> account lockout schema. I don't see any modules to this in default FC/4 or
> Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?
> Thanks!
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

Time to revamp Kindergarten

1. Sharing is ILLEGAL

More information about the list mailing list