Glenn Kelley on 9 Dec 2008 21:06:50 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders


I love that idea.

I wonder is this somethign we could start and push for?
Maybe even if it was just something that we did locally - it might grow.

Push it out to other locations - even maybe make a few packages for  
common firewall apps such as PFSense
Simple XML might be nice

I can host if your interested - not sure how to go around making the  
beast however
but I love the idea


On Dec 10, 2008, at 12:00 AM, John Von Essen wrote:

> As long as you have strong password policies, you'll be fine.
> Heres a different take... If alot of people start locking down SSH via
> firewall or other IP rules, the BOTS will move on to another  
> machine. If
> you follow that logic, the brute force of the attack will get more  
> brute
> for the remaining hosts that leave SSH wide open from an IP access
> standpoint since the number of bots is unchanged while the number of
> likely targets decreases.
> But... if we all leave SSH open with strong passwords, the brute force
> bots will have a ton of hosts to waste their time on, and eventually  
> brute
> force ssh will become boring and a waste of cpu time.
> Ok, on a more realistic note. What about applying some anti-spam  
> tactics.
> Since the IP information specific to one machine is useless, what if  
> we
> could gather global brute force ssh IP info and put it into a shared
> public DNSBL. Sort of like Spamcop for ssh logins. That incoming IP  
> can be
> checked against this database for a global hit count of failed ssh  
> login
> attempts. People running ssh throughout the world would compile  
> their ssh
> daemon to report failed login attempts (especially attempts for logins
> that dont exist) to this distributed public database.
> Its sounds like overkill, but in my opinion there is chain of events  
> that
> follows ssh brute force attacks. In my experience, alot of the spam  
> that
> gets through filters is that which originated from a server  
> somewhere that
> got silentyl brute forced, and is now quietly delivering 500 or so  
> spam
> emails a day.
> Make this new sshd feature default in all new linux releases, and in a
> year... poof.... ssh attacks will be a memory.
> -John
> On Tue, 9 Dec 2008, Brian Vagnoni wrote:
>> ----- Original Message -----
>> From: Alex Valentine
>>> Problem solved.
>> ----- Original Message -----
>>> From the 2nd link.
>> They are talking bot***NET*** level attacks. But still thanks.
>> Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing  
>> attacks on SSH servers usually count the number of failed log-in  
>> attempts from one IP address and enter addresses that exceed a  
>> given threshold on a blacklist (usually /etc/hosts.deny) or as a  
>> rule in the firewall. The system subsequently blocks any further  
>> log-in attempts from blacklisted remote IP addresses.
>> The distributed method prevents the tools from flagging attackers  
>> after only a few log-in attempts. Depending on the scale of the  
>> distributed attack, several thousand attempts to log into an  
>> account can be made. The attacks are suspected to be carried out by  
>> botnets.
>> --------------------------------------------------
>> Brian Vagnoni
>> PGP Digital Fingerprint
>> F076 6EEE 06E5 BEEF EBBD  BD36 F29E 850D FC32 3955
>> --------------------------------------------------
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group         --
>> Announcements -
>> General Discussion  --
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --