[Dshield] SSH Bots
sphere at lamercity.net
Tue Mar 7 17:58:54 GMT 2006
I'm using a python-script for blocking IPs with more than 5 failed ssh logins.
Its called fail2ban and runs with python2.4.
You can get it from http://fail2ban.sourceforge.net/. It's also in Debian testing.
The Script runs fine on my machines. :)
On Monday 06 March 2006 21:50, Jon R. Kibler wrote:
> We got a new phishing email this morning (so, what else is new?) that resulted in my learning of a new attack (well, at least new to me) against ssh.
> When I contacted the system's netblock owner, they indicated that the compromised box was a MacOS/X system and they had already shut down the box. I got to talking to their security person and he indicated that the box was compromised via a brute force ssh attack. Apparently, there are botnets that do distributed brute force ssh attacks, hitting on all possible combinations of password characters up through 14 character lengths.
> Anyone else heard of and/or been a victim of this attack? If so, would you be willing to share the details and new countermeasures implemented?
> So, I guess it is time to change all of our ssh passwords to 15 or 16 chars!
> Or, I seem to remember that MD5 hashed *nix passwords can be up to 128 chars... so maybe our passwords should now become paragraphs?
> I guess what is really needed is some PAM-based authentication failure account lockout schema. I don't see any modules to this in default FC/4 or Solaris 9/10 distros. Anyone know if this can be done and/or how to do it?
> Jon Kibler
More information about the list