Re: What to do about SSH brute force attempts?

To: cma@montevideolibre.org
Cc: debian-security@lists.debian.org
Subject: Re: What to do about SSH brute force attempts?
From: "Roger Bumgarner" <roger.bumgarner@gmail.com>
Date: Sat, 23 Aug 2008 00:28:32 -0700
Message-id: <[🔎] 235a4bf70808230028n39b54287l3e3fe23c81710d3e@mail.gmail.com>
In-reply-to: <[🔎] 200808221327.16018.carlosmartinantelo@gmail.com>
References: <[🔎] 20080821143351.GP98911@l03.thnet> <[🔎] 200808221327.16018.carlosmartinantelo@gmail.com>

I think they're more interested in using your computer to participate
in the botnet.  sending spam / exploiting other machines is far more
lucrative that holding Joe Nobody's machine for ransom.  unplug +
format = game over.

-rb

On Fri, Aug 22, 2008 at 9:27 AM, Carlos Antelo
<carlosmartinantelo@gmail.com> wrote:
> El Thursday 21 August 2008 11:33:51 Michael Tautschnig escribió:
>> Hi all,
>>
>> since two days (approx.) I'm seeing an extremely high number of apparently
>> coordinated (well, at least they are trying the same list of usernames)
>> brute force attempts from IP addresses spread all over the world. I've got
>> denyhosts and an additional iptables based firewall solution in place to
>> mitigate these since quite some time already and this seems to do the trick
>> in terms of blocking them fairly quickly.
>>
>> Nevertheless, I'd like to do something about it more proactively, so I also
>> contact the abuse mailboxes as obtained from whois. From time to time I do
>> even see responses stating that counter measures have been taken. In the
>> current case, however, there rather seems to be a need for some more
>> coordinated action instead of contacting the ISPs for each single IP --
>> this host might get blocked/shut down, but there is little hope of a more
>> thorough investigation, trying to get closer to the root of these attacks.
>>
>> Well, probably I'm pretty naive in hoping that one could do anything about
>> that at all, but maybe some of you are more experienced in security
>> issues/dealing with CERTs, etc. and have some ideas what could be done.
>>
>> Further, what do you guys do about such attacks? Just sit back and hope
>> they don't get hold of any passwords? Any ideas are welcome...
>>
>> Thanks,
>> Michael
>
> redirect attackers to another port with a ssh honeypot with common attacked
> accounts and stupid passwords, let take over false information ( and
> information on to contact you) so they will try to contact you for money then
> call the police or do something similar but atackers will keep comming...
> this is most for you fun
>
> sorry for my bad english.
>
> --
> Carlos Antelo ( aka CMA )
>

Reply to:

Follow-Ups:
- Re: What to do about SSH brute force attempts?
  - From: Jack T Mudge III <jakykong@theanythingbox.com>
- Re: What to do about SSH brute force attempts?
  - From: Carlos Antelo <carlosmartinantelo@gmail.com>

References:
- What to do about SSH brute force attempts?
  - From: Michael Tautschnig <mt@debian.org>
- Re: What to do about SSH brute force attempts?
  - From: Carlos Antelo <carlosmartinantelo@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 1631-1] New libxml2 packages fix denial of service
Next by Date: Re: What to do about SSH brute force attempts?
Previous by thread: Re: What to do about SSH brute force attempts?
Next by thread: Re: What to do about SSH brute force attempts?
Index(es):
- Date
- Thread