[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about SSH brute force attempts?

I don't mean to say that linux isn't vulnerable, as any operating system has 
its vulnerabilities, but it seems to me that with linux as a minority 
market share at the moment (for desktops), and in the fields where linux is 
common (servers), the people administering them are generally skilled 
enough to keep crackers out (for the most part), it seems like anyone 
trying to run a botnet would target windows, if only because of the number 
of (crackable) computers, and possibly because they wouldn't have to deal 
with the different varieties and configurations of linux, or the different 
kernels, or the permissions in a well-setup system where they couldn't be 
root, or any of a few other things I can think of.

I'm quite open to other interpretations, and I'd be glad to hear what others 
think of this idea, but IMO, anyone attacking a linux machine is probably 
doing so for reasons other than running a botnet.

Granted, unplugging generally means game over. I still think that other 
security measures should be used instead when possible (different ports, 
key authentication, honeypot, whatever), especially when sensitive data is 
at risk. I really don't like the idea of having to shut down my server 
every time some script kiddie decides to try and brute-force his way in. 
Not that brute forcing is all that effective on my system, but they keep 
trying. (I'm not on a nonstandard port, because I access my server from 
school, and too many ports are closed to find another open one).

I find this discussion interesting, i'd like to hear some more new ideas :).

On Saturday 23 August 2008 12:28:32 am Roger Bumgarner wrote:
> I think they're more interested in using your computer to participate
> in the botnet.  sending spam / exploiting other machines is far more
> lucrative that holding Joe Nobody's machine for ransom.  unplug +
> format = game over.
> -rb
> On Fri, Aug 22, 2008 at 9:27 AM, Carlos Antelo
> <carlosmartinantelo@gmail.com> wrote:
> > El Thursday 21 August 2008 11:33:51 Michael Tautschnig escribió:
> >> Hi all,
> >>
> >> since two days (approx.) I'm seeing an extremely high number of
> >> apparently coordinated (well, at least they are trying the same list
> >> of usernames) brute force attempts from IP addresses spread all over
> >> the world. I've got denyhosts and an additional iptables based
> >> firewall solution in place to mitigate these since quite some time
> >> already and this seems to do the trick in terms of blocking them
> >> fairly quickly.
> >>
> >> Nevertheless, I'd like to do something about it more proactively, so I
> >> also contact the abuse mailboxes as obtained from whois. From time to
> >> time I do even see responses stating that counter measures have been
> >> taken. In the current case, however, there rather seems to be a need
> >> for some more coordinated action instead of contacting the ISPs for
> >> each single IP -- this host might get blocked/shut down, but there is
> >> little hope of a more thorough investigation, trying to get closer to
> >> the root of these attacks.
> >>
> >> Well, probably I'm pretty naive in hoping that one could do anything
> >> about that at all, but maybe some of you are more experienced in
> >> security issues/dealing with CERTs, etc. and have some ideas what
> >> could be done.
> >>
> >> Further, what do you guys do about such attacks? Just sit back and
> >> hope they don't get hold of any passwords? Any ideas are welcome...
> >>
> >> Thanks,
> >> Michael
> >
> > redirect attackers to another port with a ssh honeypot with common
> > attacked accounts and stupid passwords, let take over false information
> > ( and information on to contact you) so they will try to contact you
> > for money then call the police or do something similar but atackers
> > will keep comming... this is most for you fun
> >
> > sorry for my bad english.
> >
> > --
> > Carlos Antelo ( aka CMA )

Jack Mudge
GPG Pubkey ID: 0x78BEC84C

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: