Re: What to do about SSH brute force attempts?
Max Zimmermann schrieb:
> Michael Tautschnig schrieb:
>> Hi all,
>> since two days (approx.) I'm seeing an extremely high number of apparently
>> coordinated (well, at least they are trying the same list of usernames) brute
>> force attempts from IP addresses spread all over the world. I've got denyhosts
>> and an additional iptables based firewall solution in place to mitigate these
>> since quite some time already and this seems to do the trick in terms of
>> blocking them fairly quickly.
>> Nevertheless, I'd like to do something about it more proactively, so I also
>> contact the abuse mailboxes as obtained from whois. From time to time I do even
>> see responses stating that counter measures have been taken. In the current
>> case, however, there rather seems to be a need for some more coordinated action
>> instead of contacting the ISPs for each single IP -- this host might get
>> blocked/shut down, but there is little hope of a more thorough investigation,
>> trying to get closer to the root of these attacks.
>> Well, probably I'm pretty naive in hoping that one could do anything about that
>> at all, but maybe some of you are more experienced in security issues/dealing
>> with CERTs, etc. and have some ideas what could be done.
>> Further, what do you guys do about such attacks? Just sit back and hope they
>> don't get hold of any passwords? Any ideas are welcome...
> Hey there,
> first of all, administering linux servers is what I do for living (yet).
> So this is just an advice from my experience as a linux user (also on my
> servers) and ML reader, please feel free to correct me if I'm wrong. ;)
> I believe that most of those 'attacks' (bruteforce attempts) are,
> (assumed that we're not talking about servers of banks or federal
> governments or something like that) rather random.
> They're scripts run against whole ranges of IP addresses and so far hit
> anyone I know running a server on the internet.
> I'm actually talking about that in a positive way. Meaning that most of
> those 'attacks', as I know them, are neither distributed, nor
> coordinated to one server.
> To cut a long story short, I dont't think you get a lot from reporting
> the IPs. I suppose the systems running the bruteforces are often either
> located somewhere in the world where you can't really do them any harm,
> or are infected or compromised systems of people that don't know that
> their machines are running such 'attacks'.
> So I thing reporting is pretty much the only thing you can do. You won't
> be able to press criminal charges against anyone I think.
> The problem with reporting the IPs is, that it can become a very big
> task, as the number of IPs denyhosts blocks increases.
> Another advice I can give is to change the SSH port. That minimized
> bruteforces to almost zero for me.
> So long.
Sorry about the confusion, what I meant is that administering linux
server is **NOT** what I do for living. ;)