From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 04:00:07 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A37316A41F for ; Mon, 3 Oct 2005 04:00:07 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id A44C743D45 for ; Mon, 3 Oct 2005 04:00:06 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from [192.168.1.200] (tim.open-networks.net [192.168.1.1]) by titan.open-networks.net (Postfix) with ESMTP id 340282F2 for ; Mon, 3 Oct 2005 14:00:02 +1000 (EST) Message-ID: <4340ACC1.1000306@open-networks.net> Date: Mon, 03 Oct 2005 14:00:01 +1000 From: Timothy Smith User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051002) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <6.2.3.4.2.20051002153930.07a50528@localhost> <9153DDB6-6FD4-4B14-9997-D6145F80AC3A@dragondata.com> <6.2.3.4.2.20051002171946.08f98c08@localhost> In-Reply-To: <6.2.3.4.2.20051002171946.08f98c08@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 04:00:07 -0000 Brett Glass wrote: >At 05:05 PM 10/2/2005, Kevin Day wrote: > > > >>This is pretty common, I'm afraid. SSH scanning with brute force >>password guessing has gone through the roof in the last 9-12 months, >>but it's been going on for years. >> >>We announce a /19 worth of space, and see several hundred ssh >>connects per second across it. The amount of junk port 22 traffic has >>exceeded the amount of junk port 25 traffic for us now. >> >> > >For us, it just did this weekend. Major swarm of bots, mostly from >the UK and eastern Europe. I can't imagine we're alone. > >The sudden increase -- and the tactic of harvesting e-mail addresses and >trying to match them to accounts -- were the reasons I decided to post. >People are going to want to make their security a bit tighter. > >Spam, worms, bots.... This Internet thang is sure becoming a cesspool. > >--Brett > > > just a reflection of society i think. personally i don't need ssh anymore so i have turned it off. if i was to enable it again i'd use a strong passphrase and a public key + rate limit login attempts and ban ip's that exceed an acceptable number of retires. i wonder if there isn't an opertunity to create some kind of honey pot project given the growing frequencies of these ssh based attacks. allow logins then dragggggg out the connection as long as you can. i still have a copy of everything they used to attack my system (it was left in /tmp and they were trying to get my system to scan as well)