Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Responding to a Brute Force SSH Attack
Jamie Riden

It was a bad start to a Monday morning: I arrived at work to find the intrusion detection system so bogged down in alerts that it was barely responsive.

Comments Mode:
Responding to a Brute Force SSH Attack 2008-12-04
p0f-db (1 replies)
For efficient p0f with database, you might want to try p0f-db. http://freshmeat.net/projects/p0f-db/...

[ more ]  [ reply ]
Re: Responding to a Brute Force SSH Attack 2008-12-08
Jamie
Ah, I've been looking for something like that for a while! For some reason, never managed to find it while googling.

cheers,

Jamie...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2008-12-08
Mat
You might want to have a look at deny hosts. (http://denyhosts.sourceforge.net/) Designed to add bad brute force IP's to a block list. You can configure just how strict you want it to be 3 bad guesses no more login prompt for you! Very useful for public open ssh services.

Regards,

Mat. ...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2008-12-23
Anonymous (1 replies)
I have been using swatch to monitor the syslog, then implementing automatic blocking (route to null) when too many failed ssh attempts have occurred. ...

[ more ]  [ reply ]
Re: Responding to a Brute Force SSH Attack 2009-04-28
Anonymous
Yeah, certainly my favorite way (in theory) of dealing with this kind of stuff. Still, having a little practise I have never truly used it. I would appreciate more info on this. Is there a product which monitors and later re-routes attacker's IP to null device?...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-01-06
Anonymous
Daemonshield is the best solution I have found for dealing with brute force attacks. It pretty much cuts them off at the knees....

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-01-21
Anonymous
real good info...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-01-27
Jansen Sena (jansen (at) jsena (dot) info [email concealed])
I used to run SSH daemon in an unsual port like showed in the article. Together with this configuration, I like to use fwknop to implement SPA (Single Packet Authorisation). In this case, the SSH daemon will be reachable just from the pre-authorised sources.

If SPA is useful to your reality, con...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-02-23
Anonymous
Or disable password authentication in ssh entirely and require the use of keys. Gets rid of the riff-raff and you can stay on good old port 22. :)...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-03-11
Anonymous
Good article, although public facing ssh servers should by any means have permitRootLogin set to NO. IMHO...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-05-11
Anonymous
Port knocking, non standard ports and black listing are failed strategies:

Port knocking just adds another password to guess, it gives some stealth but makes things much more complicated for your uses.

Using a non standard port doesn't change much. First attack is nmap and then you'll get the ...

[ more ]  [ reply ]
Responding to a Brute Force SSH Attack 2009-07-17
Anonymous
a better question is why isn't this admin's IDS system configured to email someone in such cases as this. ...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus