[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about SSH brute force attempts?

El Thursday 21 August 2008 11:33:51 Michael Tautschnig escribió:
> Hi all,
> since two days (approx.) I'm seeing an extremely high number of apparently
> coordinated (well, at least they are trying the same list of usernames)
> brute force attempts from IP addresses spread all over the world. I've got
> denyhosts and an additional iptables based firewall solution in place to
> mitigate these since quite some time already and this seems to do the trick
> in terms of blocking them fairly quickly.
> Nevertheless, I'd like to do something about it more proactively, so I also
> contact the abuse mailboxes as obtained from whois. From time to time I do
> even see responses stating that counter measures have been taken. In the
> current case, however, there rather seems to be a need for some more
> coordinated action instead of contacting the ISPs for each single IP --
> this host might get blocked/shut down, but there is little hope of a more
> thorough investigation, trying to get closer to the root of these attacks.
> Well, probably I'm pretty naive in hoping that one could do anything about
> that at all, but maybe some of you are more experienced in security
> issues/dealing with CERTs, etc. and have some ideas what could be done.
> Further, what do you guys do about such attacks? Just sit back and hope
> they don't get hold of any passwords? Any ideas are welcome...
> Thanks,
> Michael

redirect attackers to another port with a ssh honeypot with common attacked 
accounts and stupid passwords, let take over false information ( and 
information on to contact you) so they will try to contact you for money then 
call the police or do something similar but atackers will keep comming... 
this is most for you fun

sorry for my bad english.

Carlos Antelo ( aka CMA )

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: