Re: What to do about SSH brute force attempts?
On Thu, Aug 21, 2008 at 10:33 AM, Michael Tautschnig <mt@debian.org> wrote:
> Hi all,
>
> since two days (approx.) I'm seeing an extremely high number of apparently
> coordinated (well, at least they are trying the same list of usernames) brute
> force attempts from IP addresses spread all over the world. I've got denyhosts
> and an additional iptables based firewall solution in place to mitigate these
> since quite some time already and this seems to do the trick in terms of
> blocking them fairly quickly.
>
Personally, I am letting Denyhosts do my legwork and checking the
reports to look for patterns. I gave up on emailing people reports. A
large portion of the emails are bounced with 'make sure you email this
information to us... don't reply to this... ' and another bunch simply
bounce. I have no faith in any asian IP admin receiving and properly
reacting to an email. If I see a domestic (US) host that looks like a
human might answer, I'll try and send a report, but I do nothing
automated.
I realize that I might be a better citizen to respond to all of them
and report bad hosts, but since I've been using denyhosts, I've never
received any positive response about a host being shut down. I think
the vast majority of admins simply don't care or don't even see my
email reports.
Other than that, I have only tightened up my 'number of failed logins'
in denyhosts in response to the recent spate of attacks. I've also
double checked all my role accounts to make sure they're needed and/or
secured.
j
Reply to: