Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rundown on SSH Brute Force Attacks

Posted by Zonk on from the more-you-know! dept.

An anonymous reader writes "Whitedust has a very interesting article on the recent SSH brute force attacks. The article goes into depth on how to monitor these attackes and to report them to the authorities. It also discusses various tools that are available. According to the article, mostly compromised Linux systems from outside of North America are responsible for the attacks. Even the author's DSL connection was getting break-in attempts."

3 of 360 comments (clear)

  1. Re:Highly annoying by cdrguru · · Score: 4, Interesting

    We use a script called sshd_sentry. It is set up so that after five failed attempts the IP address is blocked for 24 hours.

    This has essentially ended the problem for us. It allows SSH to be wide open so out-of-the-office employees can log in from a hotel or Treo in case something bad happens and it absolutely blocks dictionary attacks.

    No longer a problem.

  2. Re:As always... by SlightOverdose · · Score: 4, Interesting

    One of my clients had apache running as root, and an attacker was able to create a new account on the system via a hole in a php script.

    The attacker then tried about 50 times to login to the new account via ssh, but wasn't in AllowUsers. Eventually the idiot gave up- most likely a script kiddie who didn't realise the potential of his initial attack.

    Moral of the story? AllowUsers is a really good idea :-P

  3. They actually got in on my parent's computer by yorgasor · · Score: 4, Interesting

    I made an account for my dad on my mom's computer so he could have a samba share over the network, and gave it a really easy, completely forgetting that it was also accessible via ssh. Fortunately, I added their computer to my personal DNS domain so I could remember how to get to it easier. Shortly after it was compromised, I got an email informing me that phish spams were being sent from the computer.

    I analyzed the system, and quickly determined that the person was not a big time hacker. Looking at his .bash_history file His only attempt to gain root access was to run 'sudo'. He copied over a list of people to spam, a mail script, and an email. He fired off a test email first, and then spammed the email list. A couple days later, he copied over a different list and message and sent those off. After that, I was tipped off and sealed off his entry.

    Since he made no effort to cover his tracks or avoid detection, either this script-kiddie didn't know how to, or had so many computers to manage it wasn't worth his while to do so.

    --
    Looking for a computer support specialist for your small business? Check out