Date: Fri, 16 Apr 2010 16:39:53 +0800 From: David Xu <davidxu@freebsd.org> To: Jeremy Lea <reg@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack Message-ID: <4BC82259.90203@freebsd.org> In-Reply-To: <20091002201039.GA53034@flint.openpave.org> References: <20091002201039.GA53034@flint.openpave.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Lea wrote: > Hi, > > This is off topic to this list, but I dont want to subscribe to -chat > just to post there... Someone is currently running a distributed SSH > attack against one of my boxes - one attempted login for root every > minute or so for the last 48 hours. They wont get anywhere, since the > box in question has no root password, and doesn't allow root logins via > SSH anyway... > > But I was wondering if there were any security researchers out there > that might be interested in the +-800 IPs I've collected from the > botnet? The resolvable hostnames mostly appear to be in Eastern Europe > and South America - I haven't spotted any that might be 'findable' to > get the botnet software. > > I could switch out the machine for a honeypot in a VM or a jail, by > moving the host to a new IP, and if you can think of a way of allowing > the next login to succeed with any password, then you could try to see > what they delivered... But I don't have a lot of time to help. > > Regards, > -Jeremy > Try to change SSH port to something other than default port 22, I always did this for my machines, e.g, change them to 13579 :-) Regards, David Xu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BC82259.90203>