Incidents
Distributed Bruteforce against SSH May 12 2008 03:27PM
Gary Baribault (gary baribault net) (2 replies)
RE: Distributed Bruteforce against SSH May 12 2008 06:01PM
Keith T. Morgan (keith morgan terradon com) (1 replies)
Re: Distributed Bruteforce against SSH May 12 2008 07:53PM
Tim Kennedy (tim timkennedy net)
On Mon, May 12, 2008 at 2:01 PM, Keith T. Morgan
<keith.morgan (at) terradon (dot) com [email concealed]> wrote:
> I wanted to follow up on this after putting a little more thought into it. Honestly, I'm quite impressed by the intelligence the botnet is exhibiting. Based on the testing I've done, it's clear that the entire botnet is collectively sharing its position in the dictionary on a per-target basis. Fairly slick, IMO.

Agreed.

If you're concerned, start requiring ssh-keys for authentication. If
you use RedHat (or derivatives thereof) and have the pam_succeed_if
PAM module available, you can at the very least make sure that any
non-authorized user accounts (even if they actually exist, and have a
password) can't log in via ssh. Like users who only get email
privileges, or who only have ftp privs to update a website.

Mitigation is the name of the game, since the botnets tend to span
large areas of the IP space, blocking entire networks risks making
your servers/services unusable.

-Tim

[ reply ]
RE: Distributed Bruteforce against SSH May 12 2008 05:36PM
Keith T. Morgan (keith morgan terradon com)


 

Privacy Statement
Copyright 2010, SecurityFocus