[Dshield] SSH Bots
dshield at hilotec.net
Tue Mar 7 09:10:41 GMT 2006
> When I contacted the system's netblock owner, they indicated that the
> compromised box was a MacOS/X system and they had already shut down
> the box. I got to talking to their security person and he indicated
> that the box was compromised via a brute force ssh attack.
> Apparently, there are botnets that do distributed brute force ssh
> attacks, hitting on all possible combinations of password characters
> up through 14 character lengths.
> Anyone else heard of and/or been a victim of this attack? If so,
> would you be willing to share the details and new countermeasures
Whenever I need to open Port TCP/22 I always run fail2ban too, blocking
all IPs that caused failed attempts for 10 minutes or more.
You can configure fail2ban to execute virtually any command, so you
could run passwd -l if you want or block that IP on you central
firewall instead of just on the attacked machine.
HILOTEC Engineering + Consulting GmbH
Energietechnik und Datensysteme
Tel: +41 34 402 74 00 - http://www.hilotec.com/
More information about the list