Re: What to do about SSH brute force attempts?
Michael Tautschnig schrieb:
> Hi all,
> since two days (approx.) I'm seeing an extremely high number of apparently
> coordinated (well, at least they are trying the same list of usernames) brute
> force attempts from IP addresses spread all over the world. I've got denyhosts
> and an additional iptables based firewall solution in place to mitigate these
> since quite some time already and this seems to do the trick in terms of
> blocking them fairly quickly.
> Nevertheless, I'd like to do something about it more proactively, so I also
> contact the abuse mailboxes as obtained from whois. From time to time I do even
> see responses stating that counter measures have been taken. In the current
> case, however, there rather seems to be a need for some more coordinated action
> instead of contacting the ISPs for each single IP -- this host might get
> blocked/shut down, but there is little hope of a more thorough investigation,
> trying to get closer to the root of these attacks.
> Well, probably I'm pretty naive in hoping that one could do anything about that
> at all, but maybe some of you are more experienced in security issues/dealing
> with CERTs, etc. and have some ideas what could be done.
> Further, what do you guys do about such attacks? Just sit back and hope they
> don't get hold of any passwords? Any ideas are welcome...
first of all, administering linux servers is what I do for living (yet).
So this is just an advice from my experience as a linux user (also on my
servers) and ML reader, please feel free to correct me if I'm wrong. ;)
I believe that most of those 'attacks' (bruteforce attempts) are,
(assumed that we're not talking about servers of banks or federal
governments or something like that) rather random.
They're scripts run against whole ranges of IP addresses and so far hit
anyone I know running a server on the internet.
I'm actually talking about that in a positive way. Meaning that most of
those 'attacks', as I know them, are neither distributed, nor
coordinated to one server.
To cut a long story short, I dont't think you get a lot from reporting
the IPs. I suppose the systems running the bruteforces are often either
located somewhere in the world where you can't really do them any harm,
or are infected or compromised systems of people that don't know that
their machines are running such 'attacks'.
So I thing reporting is pretty much the only thing you can do. You won't
be able to press criminal charges against anyone I think.
The problem with reporting the IPs is, that it can become a very big
task, as the number of IPs denyhosts blocks increases.
Another advice I can give is to change the SSH port. That minimized
bruteforces to almost zero for me.