[Dshield] SSH Bots

Christoph sphere at lamercity.net
Tue Mar 7 17:58:54 GMT 2006


Good Evening,

I'm using a python-script for blocking IPs with more than 5 failed ssh logins.
Its called fail2ban and runs with python2.4.
You can get it from http://fail2ban.sourceforge.net/. It's also in Debian testing.
The Script runs fine on my machines. :)

Greetings
Christoph

On Monday 06 March 2006 21:50, Jon R. Kibler wrote:
> Greetings,
> 
> We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh. 
> 
> When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths. 
> 
> Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?
> 
> So, I guess it is time to change all of our ssh passwords to 15 or 16 chars! 
> 
> Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?
> 
> I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?
> 
> Thanks!
> Jon Kibler


More information about the list mailing list