Re: What to do about SSH brute force attempts?

To: debian-security@lists.debian.org
Subject: Re: What to do about SSH brute force attempts?
From: Max Zimmermann <maxzimmermann@googlemail.com>
Date: Thu, 21 Aug 2008 16:59:04 +0200
Message-id: <[🔎] 48AD82B8.1090600@gmail.com>
In-reply-to: <[🔎] 48AD8257.2030403@gmail.com>
References: <[🔎] 20080821143351.GP98911@l03.thnet> <[🔎] 48AD8257.2030403@gmail.com>

Max Zimmermann schrieb:
> Michael Tautschnig schrieb:
>   
>> Hi all,
>>
>> since two days (approx.) I'm seeing an extremely high number of apparently
>> coordinated (well, at least they are trying the same list of usernames) brute
>> force attempts from IP addresses spread all over the world. I've got denyhosts
>> and an additional iptables based firewall solution in place to mitigate these
>> since quite some time already and this seems to do the trick in terms of
>> blocking them fairly quickly.
>>
>> Nevertheless, I'd like to do something about it more proactively, so I also
>> contact the abuse mailboxes as obtained from whois. From time to time I do even
>> see responses stating that counter measures have been taken. In the current
>> case, however, there rather seems to be a need for some more coordinated action
>> instead of contacting the ISPs for each single IP -- this host might get
>> blocked/shut down, but there is little hope of a more thorough investigation,
>> trying to get closer to the root of these attacks.
>>
>> Well, probably I'm pretty naive in hoping that one could do anything about that
>> at all, but maybe some of you are more experienced in security issues/dealing
>> with CERTs, etc. and have some ideas what could be done.
>>
>> Further, what do you guys do about such attacks? Just sit back and hope they
>> don't get hold of any passwords? Any ideas are welcome...
>>
>> Thanks,
>> Michael
>>
>>   
>>     
> Hey there,
>
> first of all, administering linux servers is what I do for living (yet).
> So this is just an advice from my experience as a linux user (also on my
> servers) and ML reader, please feel free to correct me if I'm wrong. ;)
>
> I believe that most of those 'attacks' (bruteforce attempts) are,
> (assumed that we're not talking about servers of banks or federal
> governments or something like that) rather random.
> They're scripts run against whole ranges of IP addresses and so far hit
> anyone I know running a server on the internet.
>
> I'm actually talking about that in a positive way. Meaning that most of
> those 'attacks', as I know them, are neither distributed, nor
> coordinated to one server.
>
> To cut a long story short, I dont't think you get a lot from reporting
> the IPs. I suppose the systems running the bruteforces are often either
> located somewhere in the world where you can't really do them any harm,
> or are infected or compromised systems of people that don't know that
> their machines are running such 'attacks'.
>
> So I thing reporting is pretty much the only thing you can do. You won't
> be able to press criminal charges against anyone I think.
>
> The problem with reporting the IPs is, that it can become a very big
> task, as the number of IPs denyhosts blocks increases.
>
> Another advice I can give is to change the SSH port. That minimized
> bruteforces to almost zero for me.
>
> So long.
>
>
>   
Sorry about the confusion, what I meant is that administering linux
server is **NOT** what I do for living. ;)

-- 
Cheers,

Max


Linux-User #477672

Reply to:

References:
- What to do about SSH brute force attempts?
  - From: Michael Tautschnig <mt@debian.org>
- Re: What to do about SSH brute force attempts?
  - From: Max Zimmermann <maxzimmermann@googlemail.com>

Prev by Date: Re: What to do about SSH brute force attempts?
Next by Date: Re: What to do about SSH brute force attempts?
Previous by thread: Re: What to do about SSH brute force attempts?
Next by thread: Re: What to do about SSH brute force attempts?
Index(es):
- Date
- Thread