Re: [PLUG] Brute force SSH attack confounds defenders

Glenn Kelley on 9 Dec 2008 21:06:50 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Brute force SSH attack confounds defenders

From: Glenn Kelley <glenn@typo3usa.com>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] Brute force SSH attack confounds defenders

Date: Wed, 10 Dec 2008 00:06:43 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

John I love that idea. I wonder is this somethign we could start and push for? Maybe even if it was just something that we did locally - it might grow. Push it out to other locations - even maybe make a few packages for common firewall apps such as PFSense Simple XML might be nice I can host if your interested - not sure how to go around making the beast however but I love the idea Glenn On Dec 10, 2008, at 12:00 AM, John Von Essen wrote: > As long as you have strong password policies, you'll be fine. > > Heres a different take... If alot of people start locking down SSH via > firewall or other IP rules, the BOTS will move on to another > machine. If > you follow that logic, the brute force of the attack will get more > brute > for the remaining hosts that leave SSH wide open from an IP access > standpoint since the number of bots is unchanged while the number of > likely targets decreases. > > But... if we all leave SSH open with strong passwords, the brute force > bots will have a ton of hosts to waste their time on, and eventually > brute > force ssh will become boring and a waste of cpu time. > > Ok, on a more realistic note. What about applying some anti-spam > tactics. > Since the IP information specific to one machine is useless, what if > we > could gather global brute force ssh IP info and put it into a shared > public DNSBL. Sort of like Spamcop for ssh logins. That incoming IP > can be > checked against this database for a global hit count of failed ssh > login > attempts. People running ssh throughout the world would compile > their ssh > daemon to report failed login attempts (especially attempts for logins > that dont exist) to this distributed public database. > > Its sounds like overkill, but in my opinion there is chain of events > that > follows ssh brute force attacks. In my experience, alot of the spam > that > gets through filters is that which originated from a server > somewhere that > got silentyl brute forced, and is now quietly delivering 500 or so > spam > emails a day. > > Make this new sshd feature default in all new linux releases, and in a > year... poof.... ssh attacks will be a memory. > > -John > > On Tue, 9 Dec 2008, Brian Vagnoni wrote: > >> ----- Original Message ----- >> From: Alex Valentine >>> Problem solved. >>> >>> http://denyhosts.sourceforge.net/ >> ----- Original Message ----- >> >>> From the 2nd link. >> >> They are talking bot***NET*** level attacks. But still thanks. >> >> Tools like DenyHosts, BruteForceBlocker or fail2ban for preventing >> attacks on SSH servers usually count the number of failed log-in >> attempts from one IP address and enter addresses that exceed a >> given threshold on a blacklist (usually /etc/hosts.deny) or as a >> rule in the firewall. The system subsequently blocks any further >> log-in attempts from blacklisted remote IP addresses. >> >> The distributed method prevents the tools from flagging attackers >> after only a few log-in attempts. Depending on the scale of the >> distributed attack, several thousand attempts to log into an >> account can be made. The attacks are suspected to be carried out by >> botnets. >> >> >> -------------------------------------------------- >> Brian Vagnoni >> PGP Digital Fingerprint >> F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955 >> -------------------------------------------------- >> ___________________________________________________________________________ >> Philadelphia Linux Users Group -- http://www.phillylinux.org >> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce >> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug >> > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] Brute force SSH attack confounds defenders
From: John Von Essen <john@essenz.com>

References:

Re: [PLUG] Brute force SSH attack confounds defenders
From: "Brian Vagnoni" <bvagnoni@v-system.net>

Re: [PLUG] Brute force SSH attack confounds defenders
From: John Von Essen <john@essenz.com>

Prev by Date: [PLUG] Brother MFC-9840CDW & Linux

Next by Date: Re: [PLUG] Brother MFC-9840CDW & Linux

Previous by thread: Re: [PLUG] Brute force SSH attack confounds defenders

Next by thread: Re: [PLUG] Brute force SSH attack confounds defenders

Index(es):

Date

Thread