From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 2 21:38:15 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69B941065676; Fri, 2 Oct 2009 21:38:15 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (113901-app1.sourcehosting.net [72.32.213.11]) by mx1.freebsd.org (Postfix) with ESMTP id 4708F8FC1B; Fri, 2 Oct 2009 21:38:15 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MtpVp-0003UL-Os; Fri, 02 Oct 2009 17:18:06 -0400 Received: from [127.0.0.1] (fireball.entropy.prv [192.168.1.12]) by cube.entropy.prv (Postfix) with ESMTP id B9B66356643F; Fri, 2 Oct 2009 17:18:01 -0400 (EDT) Message-ID: <4AC66E07.4030605@FreeBSD.org> Date: Fri, 02 Oct 2009 17:17:59 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Jeremy Lea References: <20091002201039.GA53034@flint.openpave.org> In-Reply-To: <20091002201039.GA53034@flint.openpave.org> X-Enigmail-Version: 0.96.0 OpenPGP: id=1C940290 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: 0.1 (/) Cc: freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 21:38:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy Lea wrote: > Hi, > > This is off topic to this list, but I dont want to subscribe to -chat > just to post there... Someone is currently running a distributed SSH > attack against one of my boxes - one attempted login for root every > minute or so for the last 48 hours. They wont get anywhere, since the > box in question has no root password, and doesn't allow root logins via > SSH anyway... > > But I was wondering if there were any security researchers out there > that might be interested in the +-800 IPs I've collected from the > botnet? The resolvable hostnames mostly appear to be in Eastern Europe > and South America - I haven't spotted any that might be 'findable' to > get the botnet software. > > I could switch out the machine for a honeypot in a VM or a jail, by > moving the host to a new IP, and if you can think of a way of allowing > the next login to succeed with any password, then you could try to see > what they delivered... But I don't have a lot of time to help. > > Regards, > -Jeremy > Hi Jeremy, You could set up DenyHosts and contribute to the pool of IPs that are attempting SSH logins on the Net: http://denyhosts.sourceforge.net/faq.html#4_0 It also looks like there's been quite a spike of SSH login activity recently: http://stats.denyhosts.net/stats.html Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKxm4H0sRouByUApARAtnPAKCQuivQdE1s0ZZnUO6qVWA87N8ZKgCgjyYD Tbv+hWI+KoXYsEpt0n4gW5k= =xCz7 -----END PGP SIGNATURE-----