From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 14:17:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A40C41065670 for ; Wed, 2 Dec 2009 14:17:16 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 5DC7B8FC19 for ; Wed, 2 Dec 2009 14:17:16 +0000 (UTC) Received: from localhost (overdrive.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 02 Dec 2009 09:07:07 -0500 id 00056407.000000004B16748C.000098E8 Date: Wed, 2 Dec 2009 09:07:07 -0500 From: Bill Moran To: Mike Tancsa Message-Id: <20091202090707.f563976d.wmoran@collaborativefusion.com> In-Reply-To: <200912021324.nB2DOc58001138@lava.sentex.ca> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> <200912020145.SAA17523@lariat.net> <200912020150.nB21ossm072930@lava.sentex.ca> <4B1662BB.8000908@gmail.com> <200912021324.nB2DOc58001138@lava.sentex.ca> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.7.1 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Mohd Fazli Azran Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 14:17:16 -0000 In response to Mike Tancsa : > At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: > > > > >Seem they use multi host and brute force. My network are every day > >increasing the activity of attempt ssh login with multiple host + > >multiple login with multiple password. seem i got many of this messages > > > Yes, thats the latest pattern I have been seeing-- distributed, slow > and coordinated. Here is a sample from one of my honeypots. The > only way to deal with them I found is to have multiple sensors > throughout my network and aggregate the data. Otherwise, each IP > only appears every few hrs in the logs. I deal with it by immediately blocking any host that generates an "invalid user" error. Of course, that won't work for everyone :( -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****************************************************************