From owner-freebsd-hackers@FreeBSD.ORG Fri Apr 16 09:18:10 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B0E106566C for ; Fri, 16 Apr 2010 09:18:10 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-bw0-f214.google.com (mail-bw0-f214.google.com [209.85.218.214]) by mx1.freebsd.org (Postfix) with ESMTP id 1A38B8FC23 for ; Fri, 16 Apr 2010 09:18:09 +0000 (UTC) Received: by bwz6 with SMTP id 6so2089637bwz.13 for ; Fri, 16 Apr 2010 02:18:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=0TEwYG9OU7LFKCKdwJxvktRbjxsccx2QeqvmooxvFww=; b=SjiXInhDS3bVrdrMfnnlr8Ps0uUYayXfeb73nEDV0SdBHg25G6EIVeQINbE6xzf6qv L3X0yNfz8+Ce/xbU/5uz0t4HoKfqr4JPt3hThSfty9CvPGAcIM4qaS5CgyWj8LHRyDJu 8o1hEGz8evaZ5lnUbwGti5WzEGxMTOlCc64TQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=sUt49GEx6xDe5P/iqZyN1mV6WCl97O8Aaxff7IXvTTazt2wJ7Dz6gTSMSlCUPtwBqR dQt0B7ReaFe8ysaliMV8e8ZsC1A0D6ndVkE5tmSM58E1a+A9dm4mDWMD9sAzC4Z2itU1 oPkHnOcdM4CmwmNzi9Lw/MEHAoWgVGgtTc8qk= MIME-Version: 1.0 Received: by 10.239.165.129 with HTTP; Fri, 16 Apr 2010 02:18:08 -0700 (PDT) In-Reply-To: <4BC82259.90203@freebsd.org> References: <20091002201039.GA53034@flint.openpave.org> <4BC82259.90203@freebsd.org> Date: Fri, 16 Apr 2010 10:18:08 +0100 Received: by 10.239.182.204 with SMTP id r12mr77499hbg.193.1271409488596; Fri, 16 Apr 2010 02:18:08 -0700 (PDT) Message-ID: From: krad To: David Xu X-Mailman-Approved-At: Fri, 16 Apr 2010 12:14:59 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Jeremy Lea , freebsd-hackers@freebsd.org Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2010 09:18:11 -0000 On 16 April 2010 09:39, David Xu wrote: > Jeremy Lea wrote: > >> Hi, >> >> This is off topic to this list, but I dont want to subscribe to -chat >> just to post there... Someone is currently running a distributed SSH >> attack against one of my boxes - one attempted login for root every >> minute or so for the last 48 hours. They wont get anywhere, since the >> box in question has no root password, and doesn't allow root logins via >> SSH anyway... >> >> But I was wondering if there were any security researchers out there >> that might be interested in the +-800 IPs I've collected from the >> botnet? The resolvable hostnames mostly appear to be in Eastern Europe >> and South America - I haven't spotted any that might be 'findable' to >> get the botnet software. >> >> I could switch out the machine for a honeypot in a VM or a jail, by >> moving the host to a new IP, and if you can think of a way of allowing >> the next login to succeed with any password, then you could try to see >> what they delivered... But I don't have a lot of time to help. >> >> Regards, >> -Jeremy >> >> > Try to change SSH port to something other than default port 22, > I always did this for my machines, e.g, change them to 13579 :-) > > Regards, > David Xu > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > dont allow password auth, tcp wrap it, and acl it with pf. Probably more stuff you can do. Think onions