Date: Fri, 02 Oct 2009 18:39:09 -0400 From: "Aryeh M. Friedman" <aryeh.friedman@gmail.com> To: glarkin@FreeBSD.org Cc: Jeremy Lea <reg@freebsd.org>, freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack Message-ID: <4AC6810D.1030106@gmail.com> In-Reply-To: <4AC66E07.4030605@FreeBSD.org> References: <20091002201039.GA53034@flint.openpave.org> <4AC66E07.4030605@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Lea wrote: > >> Hi, >> >> This is off topic to this list, but I dont want to subscribe to -chat >> just to post there... Someone is currently running a distributed SSH >> attack against one of my boxes - one attempted login for root every >> minute or so for the last 48 hours. They wont get anywhere, since the >> box in question has no root password, and doesn't allow root logins via >> SSH anyway... >> >> But I was wondering if there were any security researchers out there >> that might be interested in the +-800 IPs I've collected from the >> botnet? The resolvable hostnames mostly appear to be in Eastern Europe >> and South America - I haven't spotted any that might be 'findable' to >> get the botnet software. >> >> I could switch out the machine for a honeypot in a VM or a jail, by >> moving the host to a new IP, and if you can think of a way of allowing >> the next login to succeed with any password, then you could try to see >> what they delivered... But I don't have a lot of time to help. >> >> Regards, >> -Jeremy >> >> > > Hi Jeremy, > > You could set up DenyHosts and contribute to the pool of IPs that are > attempting SSH logins on the Net: > http://denyhosts.sourceforge.net/faq.html#4_0 > > It also looks like there's been quite a spike of SSH login activity > recently: http://stats.denyhosts.net/stats.html > > Hope that helps, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFKxm4H0sRouByUApARAtnPAKCQuivQdE1s0ZZnUO6qVWA87N8ZKgCgjyYD > Tbv+hWI+KoXYsEpt0n4gW5k= > =xCz7 > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > There seems to be some kind of cordinated attack because I have been seeing different backbones wink in and out (work and home are on completely diff backbones and are having roughly the same intermitten interuptions)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC6810D.1030106>