Repeated attacks via SSH

Timothy Smith timothy at open-networks.net
Sun Oct 2 21:00:07 PDT 2005


Brett Glass wrote:

>At 05:05 PM 10/2/2005, Kevin Day wrote:
>
>  
>
>>This is pretty common, I'm afraid. SSH scanning with brute force  
>>password guessing has gone through the roof in the last 9-12 months,  
>>but it's been going on for years.
>>
>>We announce a /19 worth of space, and see several hundred ssh  
>>connects per second across it. The amount of junk port 22 traffic has  
>>exceeded the amount of junk port 25 traffic for us now.
>>    
>>
>
>For us, it just did this weekend. Major swarm of bots, mostly from
>the UK and eastern Europe. I can't imagine we're alone.
>
>The sudden increase -- and the tactic of harvesting e-mail addresses and 
>trying to match them to accounts -- were the reasons I decided to post.
>People are going to want to make their security a bit tighter.
>
>Spam, worms, bots.... This Internet thang is sure becoming a cesspool.
>
>--Brett
>
>  
>
just a reflection of society i think.

personally i don't need ssh anymore so i have turned it off. if i was to 
enable it again i'd use a strong passphrase and a public key + rate 
limit login attempts and ban ip's that exceed an acceptable number of 
retires.

i wonder if there isn't an opertunity to create some kind of honey pot 
project given the growing frequencies of these ssh based attacks.

allow logins then dragggggg out the connection as long as you can. i 
still have a copy of everything they used to attack my system (it was 
left in /tmp and they were trying to get my system to scan as well)



More information about the freebsd-security mailing list