[Dshield] SSH Bots

Jean-Pierre Schwickerath dshield at hilotec.net
Tue Mar 7 09:10:41 GMT 2006


Hello Jon, 
 
> When I contacted the system's netblock owner, they indicated that the
> compromised box was a MacOS/X system and they had already shut down
> the box. I got to talking to their security person and he indicated
> that the box was compromised via a brute force ssh attack.
> Apparently, there are botnets that do distributed brute force ssh
> attacks, hitting on all possible combinations of password characters
> up through 14 character lengths. 
> 
> Anyone else heard of and/or been a victim of this attack? If so,
> would you be willing to share the details and new countermeasures
> implemented?

Whenever I need to open Port TCP/22 I always run fail2ban too, blocking
all IPs that caused failed attempts for 10 minutes or more. 

You can configure fail2ban to execute virtually any command, so you
could run passwd -l if you want or block that IP on you central
firewall instead of just on the attacked machine. 


Regards.
Jean-Pierre
-- 
HILOTEC Engineering + Consulting GmbH
Energietechnik und Datensysteme
Tel: +41 34 402 74 00 - http://www.hilotec.com/


More information about the list mailing list