Robert Lemos, SecurityFocus 2008-05-14
Allowing secure shell access to a server tends to attract the occasional attempt to guess a valid username and password for the service. However, a spike in attacks this week has system administrators worried.
Colapse all |
Post comment
Admins warned of brute-force SSH attacks
2008-05-15
DooMRunneR (1 replies)
DooMRunneR (1 replies)
Re: Admins warned of brute-force SSH attacks
2008-05-16
Anonymous
Anonymous
They'll eventually start scanning on 2222/tcp, a popular replacement SSH port. I see no reason to run it on 22/tcp, changing it stops the scripts and a lot of noise from the public Internet.
If you change it to something really random and still get brute-force attacks, you know someone is really ...
[ more ] [ reply ]
If you change it to something really random and still get brute-force attacks, you know someone is really ...
[ more ] [ reply ]
Admins warned of brute-force SSH attacks
2008-05-15
Anonymous (1 replies)
Anonymous (1 replies)
To protect my FreeBSD box I made this simple script:
http://milesich.com/2008/02/07/protect-your-freebsd-box/...
[ more ] [ reply ]
http://milesich.com/2008/02/07/protect-your-freebsd-box/...
[ more ] [ reply ]
Re: Admins warned of brute-force SSH attacks
2008-05-19
Anonymous
Anonymous
...and here's how to do it on OpenBSD with pf:
table scanners persist file "/etc/scanners"
[...]
block in quick log on $ext_if proto tcp from scanners to $ext_if port ssh
[...]
pass in on $ext_if proto tcp from any to $ext_if port ssh flags S/SA keep state (max-src-conn-rate 3/60, overload sc...
[ more ] [ reply ]
table scanners persist file "/etc/scanners"
[...]
block in quick log on $ext_if proto tcp from scanners to $ext_if port ssh
[...]
pass in on $ext_if proto tcp from any to $ext_if port ssh flags S/SA keep state (max-src-conn-rate 3/60, overload sc...
[ more ] [ reply ]
Admins warned of brute-force SSH attacks
2008-05-15
Anonymous
Anonymous
If possible, use the AllowUsers directive in sshd_config to limit access to specific users, and/or the hosts.allow/deny files to permit certain users from specific network ranges or not at all from other ranges, etc; ssh is tcp_wrapper friendly). Of course the firewall is your friend also (but shou...
[ more ] [ reply ]
[ more ] [ reply ]
Admins warned of brute-force SSH attacks
2008-05-15
Anonymous
Anonymous
For the past 2 years, I've used BFD (Brute Force Detection), available here http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
In a nutshell, this is a shell script run via cron that parses log files to detect multiple login attempts within a short period of time that would indicate a brute ...
[ more ] [ reply ]
In a nutshell, this is a shell script run via cron that parses log files to detect multiple login attempts within a short period of time that would indicate a brute ...
[ more ] [ reply ]
Admins warned of brute-force SSH attacks
2008-05-16
Jeff Sadowski
Jeff Sadowski
I started noticing such attacks from china and korea about a year ago I found sheller to be an excellent tool to help diminish the problem. Mostly I see root attempts and I have disabled the root account from being able to ssh in.
shellter can be found here.
http://shellter.sourceforge.net/...
[ more ] [ reply ]
shellter can be found here.
http://shellter.sourceforge.net/...
[ more ] [ reply ]
Admins warned of brute-force SSH attacks
2008-05-27
Anonymous
Anonymous
Only a few of my users have SSH access to my servers and none of them have "common" usernames.
No remote root logins.. gotta su for access, only a few have access to the "su" command, which has itself been renamed.
SSH access is restricted to specific IP addresses by both the host level firewa...
[ more ] [ reply ]
No remote root logins.. gotta su for access, only a few have access to the "su" command, which has itself been renamed.
SSH access is restricted to specific IP addresses by both the host level firewa...
[ more ] [ reply ]
Admins warned of brute-force SSH attacks
2008-11-28
Anonymous
Anonymous
Most of the comments missed the point of these attacks being 'low and slow' and/or distributed. Blocking scripts will not catch such attacks (I'm experiencing them now and am having a hard time blocking them). About the only thing that will mitigate this threat is to turn off SSH, move the listeni...
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]