Incidents
Weird SSH attack last night and this morning (still ongoing) May 07 2008 12:27PM
Gary Baribault (gary baribault net) (6 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 14 2008 08:25AM
Mick Pollard (lists lunix com au) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 14 2008 11:05PM
Gary Baribault (gary baribault net) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 15 2008 09:41PM
Valdis Kletnieks vt edu
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:01PM
Brent Kearney (brentk birs ca)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:53PM
Erin Carroll (amoeba amoebazone com) (1 replies)
Gary,

I am seeing the exact same traffic pattern & attempts as of ~10:20pm PST:
Single attempts to remote root ssh from disparate IP's with few (if any)
repeated source location. So now we have a sample size of 2 :)

When I saw this hitting my servers last night I thought it an odd attack
pattern but surmised it was either a targeted slow attack with spoofed IP's
or a "slow roll" botnet using throttled connects to try flying under the
radar for alerting. I was leaning toward the latter and even more so now
that I see my organization isn't the only one.

Just block root ssh and apply a source IP whitelist for valid non-root
allows if you require remote ssh for day to day. I consider it bad security
practice to allow remote root ssh anyway. People should use user accounts
and a sane sudoers config instead.

--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba (at) amoebazone (dot) com [email concealed]
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: Gary Baribault [mailto:gary (at) baribault (dot) net [email concealed]]
Sent: Wednesday, May 07, 2008 5:27 AM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: Weird SSH attack last night and this morning (still ongoing)

I don't know what is going on last night and this morning ... I have
three Linux servers facing the Internet, two on cable modems and another
on a static IP/commercial connection and this last one is a gateway to a
Web/FTP/SMTP/Pop3/NTP Linux based system.

I have DenyHosts installed on all three and have blocked about 75
attempts .. from known compromised adresses .. The log shows
(obviously) that there where even more attempts from adresses that are
unknown to DenyHosts but there was only one login attemps per adress and
it was with the Root account .. which is obviously blocked in my sshd
config ..

Of the three machines, one of them only had about 10 attempts, but the
other two had about 200 attempts .. all of them with only 1 try with the
user Root ..

Is any one else seing this? or am I being targeted? This is still going
on now .. and it started arround 10:00 last night GMT+4

--
Gary Baribault
Courriel: gary (at) baribault (dot) net [email concealed]
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013

[ reply ]
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:17PM
Valdis Kletnieks vt edu
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:36PM
Blaine Fleming (groups digital-z com)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 05:04PM
Robert Taylor (rjamestaylor gmail com) (1 replies)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:15PM
Erin Carroll (amoeba amoebazone com) (1 replies)
Re: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:23PM
Robert Taylor (rjamestaylor gmail com) (1 replies)
RE: Weird SSH attack last night and this morning (still ongoing) May 07 2008 06:27PM
Erin Carroll (amoeba amoebazone com)


 

Privacy Statement
Copyright 2010, SecurityFocus