[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

What to do about SSH brute force attempts?

Hi all,

since two days (approx.) I'm seeing an extremely high number of apparently
coordinated (well, at least they are trying the same list of usernames) brute
force attempts from IP addresses spread all over the world. I've got denyhosts
and an additional iptables based firewall solution in place to mitigate these
since quite some time already and this seems to do the trick in terms of
blocking them fairly quickly.

Nevertheless, I'd like to do something about it more proactively, so I also
contact the abuse mailboxes as obtained from whois. From time to time I do even
see responses stating that counter measures have been taken. In the current
case, however, there rather seems to be a need for some more coordinated action
instead of contacting the ISPs for each single IP -- this host might get
blocked/shut down, but there is little hope of a more thorough investigation,
trying to get closer to the root of these attacks.

Well, probably I'm pretty naive in hoping that one could do anything about that
at all, but maybe some of you are more experienced in security issues/dealing
with CERTs, etc. and have some ideas what could be done.

Further, what do you guys do about such attacks? Just sit back and hope they
don't get hold of any passwords? Any ideas are welcome...


Attachment: pgpcpgvZel9DZ.pgp
Description: PGP signature

Reply to: