From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 2 23:10:45 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A9251065670; Fri, 2 Oct 2009 23:10:45 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 4EA1F8FC1C; Fri, 2 Oct 2009 23:10:44 +0000 (UTC) Received: by ewy5 with SMTP id 5so598285ewy.36 for ; Fri, 02 Oct 2009 16:10:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=bFNkdaS3SNvp4NVAkAcptARzgA9wV70Yj54sYVorUfc=; b=mLUL9KidwDXFAkEESAIFkkRNYTkTHVOjGC3ZeAx1SF6oAcYHuSPq083H/onEBTGprb usKDmQcZAZpyYNjVNmTKyD0nrviJ7Uzx2Y4EmS/GJetlqZOwc3mFAlDwTyqQXVeFFSrS 2m8unDG4xy1NcaE2sGgWgsfNpBwWmpmt0c8VU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=qfu1HFGWblJBGfWWZk/YIU+1jpZh7f57sxTDllkSd1YJQMzsHAi4k/EXgMSkAdDfGT XIByyAXrwJrTrpoQT1d4berQ8cBn/2irWNSrUSFM0EyaU5LM5yuBnWXDElAUtVBHr1R3 co/Tkg8xZhk9QCCNsMF1AnJloPt6Smsy3+Zo8= Received: by 10.216.28.21 with SMTP id f21mr459522wea.39.1254523155180; Fri, 02 Oct 2009 15:39:15 -0700 (PDT) Received: from aryeh-desktop.istudentunion.com (ool-44c0cd7a.dyn.optonline.net [68.192.205.122]) by mx.google.com with ESMTPS id t12sm4519571gvd.13.2009.10.02.15.39.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Oct 2009 15:39:13 -0700 (PDT) Message-ID: <4AC6810D.1030106@gmail.com> Date: Fri, 02 Oct 2009 18:39:09 -0400 From: "Aryeh M. Friedman" User-Agent: Thunderbird 2.0.0.23 (X11/20090915) MIME-Version: 1.0 To: glarkin@FreeBSD.org References: <20091002201039.GA53034@flint.openpave.org> <4AC66E07.4030605@FreeBSD.org> In-Reply-To: <4AC66E07.4030605@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Jeremy Lea , freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 23:10:45 -0000 Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Lea wrote: > >> Hi, >> >> This is off topic to this list, but I dont want to subscribe to -chat >> just to post there... Someone is currently running a distributed SSH >> attack against one of my boxes - one attempted login for root every >> minute or so for the last 48 hours. They wont get anywhere, since the >> box in question has no root password, and doesn't allow root logins via >> SSH anyway... >> >> But I was wondering if there were any security researchers out there >> that might be interested in the +-800 IPs I've collected from the >> botnet? The resolvable hostnames mostly appear to be in Eastern Europe >> and South America - I haven't spotted any that might be 'findable' to >> get the botnet software. >> >> I could switch out the machine for a honeypot in a VM or a jail, by >> moving the host to a new IP, and if you can think of a way of allowing >> the next login to succeed with any password, then you could try to see >> what they delivered... But I don't have a lot of time to help. >> >> Regards, >> -Jeremy >> >> > > Hi Jeremy, > > You could set up DenyHosts and contribute to the pool of IPs that are > attempting SSH logins on the Net: > http://denyhosts.sourceforge.net/faq.html#4_0 > > It also looks like there's been quite a spike of SSH login activity > recently: http://stats.denyhosts.net/stats.html > > Hope that helps, > Greg > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/sourcehosting/ - Follow me, follow you > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFKxm4H0sRouByUApARAtnPAKCQuivQdE1s0ZZnUO6qVWA87N8ZKgCgjyYD > Tbv+hWI+KoXYsEpt0n4gW5k= > =xCz7 > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > There seems to be some kind of cordinated attack because I have been seeing different backbones wink in and out (work and home are on completely diff backbones and are having roughly the same intermitten interuptions)