[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about SSH brute force attempts?

I think they're more interested in using your computer to participate
in the botnet.  sending spam / exploiting other machines is far more
lucrative that holding Joe Nobody's machine for ransom.  unplug +
format = game over.


On Fri, Aug 22, 2008 at 9:27 AM, Carlos Antelo
<carlosmartinantelo@gmail.com> wrote:
> El Thursday 21 August 2008 11:33:51 Michael Tautschnig escribió:
>> Hi all,
>> since two days (approx.) I'm seeing an extremely high number of apparently
>> coordinated (well, at least they are trying the same list of usernames)
>> brute force attempts from IP addresses spread all over the world. I've got
>> denyhosts and an additional iptables based firewall solution in place to
>> mitigate these since quite some time already and this seems to do the trick
>> in terms of blocking them fairly quickly.
>> Nevertheless, I'd like to do something about it more proactively, so I also
>> contact the abuse mailboxes as obtained from whois. From time to time I do
>> even see responses stating that counter measures have been taken. In the
>> current case, however, there rather seems to be a need for some more
>> coordinated action instead of contacting the ISPs for each single IP --
>> this host might get blocked/shut down, but there is little hope of a more
>> thorough investigation, trying to get closer to the root of these attacks.
>> Well, probably I'm pretty naive in hoping that one could do anything about
>> that at all, but maybe some of you are more experienced in security
>> issues/dealing with CERTs, etc. and have some ideas what could be done.
>> Further, what do you guys do about such attacks? Just sit back and hope
>> they don't get hold of any passwords? Any ideas are welcome...
>> Thanks,
>> Michael
> redirect attackers to another port with a ssh honeypot with common attacked
> accounts and stupid passwords, let take over false information ( and
> information on to contact you) so they will try to contact you for money then
> call the police or do something similar but atackers will keep comming...
> this is most for you fun
> sorry for my bad english.
> --
> Carlos Antelo ( aka CMA )

Reply to: