Slashdot Mirror
The Slow Bruteforce Botnet(s) May Be Learning
badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.
The obvious solution is to use public/private key authentication and disallow password logins.
This is much safer anyways, since your private key and your passphrase stays on your local machine always, so even if the server is compromised and the SSHd is bugged, no one will have immediate access to your login token.
I swear, some of the most adaptive, sophisticated, and advanced techniques seem to be coming out of the Botnets.
It's my (admittedly probably crazy) idea that we WILL begin to see "emergent intelligence properties" out of some sophisticated system at some point in time, whether it be Google, an AGI lab, or a botnet. I shudder at the prospect of our first AI of power will have grown from one of these botnets.
NOTE: I'm not saying this will happen tomorrow, but extrapolating the current state of botnets relative to the current state of other systems leads me to believe, on a relative basis, systems may be complex relative to one another as they are today. If that is the case, well... that would be bad.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
Okay, Mr. Taco, almost every single time a long post has Read the rest of this comment... at the bottom, there is no more content to be displayed. The comment is already displayed in its entirety. Is this a bug, or just insane coincidence that ALL of these posts have one extra newline that puts the length over the threshold?
The conclusions are a bit too speculative, nonetheless the research is interesting. I am not sure if a few hundred hosts are enough to conclude that the "bad guys" are coordinating and sharing attack output. And as far as avoiding OpenBSD, come on..."OpenBSD is a bitch." Why is this a surprise?? :)
In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.)
There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?
Bots were knocking on my door to the point I was worry about performance degradation. I know there are many ways to defeat these but here was my solution.
In hosts.deny /var/www/html/allow.txt
-----------------
sshd:ALL EXCEPT
-----------------
Create a simple cgi-script (password protected and accessed via secret random url) that writes your browser IP address to the allow.txt file and all those nasty botnets and go to hell.
These people are a tremendous illness upon the world. If it were legal, I would contribute to a bounty on the lives of the people responsible for this stuff. These people make me beyond sick. I have said it many times and sometimes I actually mean it -- if I knew of someone involved in this sort of business close by, I would appear on the news shortly thereafter. And I am pretty sure I am not alone in this sentiment.
At the risk of being unpopular ..... Just turn off the Internet already!
How would the botnet know they are attacking an OpenBSD box (vs Linux or something else)?
Is there some sort of server signature involved (that I'm not aware of)
My (Linux) ssh server at home just responds with a password prompt. I don't see any easy way to determine the underlying system from that.
BTW. On my server at home I use Hashlimits to limit each IP to 1 attempt per minute (maximum). This has taken the attacks down from hundreds / thousands per day ( The most attacks I ever got was ~7,000 from one IP) to about 3 to 6. This is typically, 1 attempt each, they then get blocked, and then they go away.
Ever stop to think
Don't forget about the economies surrounding botnets. There are two sides, those that profit from the botnets (the operators), and those that profit fighting the botnets (the fighters). Additionally, there are those that profit from providing botnet remedial "solutions" whilst not being in either of the primary (operator or fighter) categories. If botnets ceased to exist, there would be a *lot* more lost on the fighter and solution side than on the operator side. So... like SPAM, this raises the question of just who actually benefits the most from botnet existing.
Is there something 'better' about BSDs' ipchains then I can do with Linux and iptables?
Should I switch my firewall? (I've been itching to test BSD cause it's so darned geeky and I am getting annoyed with all these Ubuntu "somebody help me!!" converts plugging the IRC tubes.)
A locked-down firewall is locked-down isn't it?
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
Posting as AC because the people running botnets can be nasty...I had most of their hosts banned two weeks ago and it got more interesting.
To the people who say: "Use fail2ban" --it won't work unless you jail the host on the first failed login forever. They'll be back once every six hours on my system.
After I had a week worth of logs, I added them to hosts.deny--and now things are getting interesting. I'm working on compiling the pattern now--but it looks like there's "micro wordlists" being thrown at it until they get picked up in fail2ban...two or three a day from new hosts.
The botnets are probably programmed with attacks specific to an OS. You don't attack Linux the same way you attack Windows. OpenBSD is niche enough that they don't bother with it. I'll bet they leave IRIX and AS/400 systems alone too. The author only noticed because he has an OpenBSD system.
Another potential reason is that OpenBSD is typically used for stuff like firewalls, they are probably more interested in attacking sites that might be running e-commerce sites and the ones not running Windows are most likely Linux or Solaris. They want to steal credit card numbers, not firewall statistics :)
Im not sure, but I think it's a left-over, Slashdot used to have a setting for how much/long a message would be before it did that, but they seem to have removed that option, so it was probably just left behind in the configuration somewhere, If Msg.Length > 512 Then ShowReadRest = True
except in PHP or whatever.
And with all the whiz-bang ajax shit that's cluttering this place up, you'd think they could use it to retrieve the rest of the post inline.
They do... it's just that there's nothing else to retrieve but whitespace.
skynet is gaining power
I've looked at the TFA and the hard data and it seems like admins are the ones making the IT mistakes. With so many attempts for root and none of the other users personally identifiable, I can personally just set up a Bot to run tracert routines on failed attempts and report them for trying to access Root or Admin.
When it comes to multi-user sites however public key auth is standard, but your user ID and password have to match. What I don't understand is why everyone immediately resorts to AI development.
Clearly musing, he is. AI means "Self-adapting code". Self-adaption is too slow in real time and is only controlled by small control variables in games. Botnets have a heard. IT's the ADMIN's fault for being hearded, but they can have a techie d/c the power cord to save the rest of the world. Theres no real threat to secure folks because physical disconnection is trivial over a router (I just disable my IP assignment and I'm disconnected until I get another techie to do it physically) but more of a threat to people who can't control it. People controlled by the law, such as big-time Admins.
Sure, sure, the server won't crash when you're watching it, sure. But how boring will that be?
Here's the real issue: Remote Access
There has to be a way for the slow bots to get into root or admin or a remote access. I usually disable root or admin from working outside the internal loopback - 127.0.0.1 - standard Class A IP Address. I could technically configure a Bot to run Tracert (traceROOT) routines on all of those people (yes, windows user here) and have them reported to the federal government. It can't mess up my personal account, nor can it mess up DNS servers with sheer volume. It's small-scale.
so, the solution is proper remote access protocols. I remember NEVER activating remote access but at the same time using public-key authorized third party demo services to make minor changes remotely, including shutting the system down. I used logmein.com, free demo version, pathetically, but it's actually more secure as long as I have no idea how why I should do it myself. Once I used the shutdown signal it could not boot itself up unless someone would physically press the button. I have to call a physical person in the house to do that myself, so unless demons from hell can use an on/offswitch and my BIOS password without my permission, it ain't starting on it's own nor does it listen for a restart signal until I sign into windows for the first time (Windows XP here). My system has never been breached before, but it constantly deadlocks to save itself from burning the CPU out. It has a thermosensor and cutoff only in the power supply unit, however. Stupid laptops weren't designed for gaming even though thats how its advertised. How do I pull an all nighter at this rate? I'll just remove the sensor in my power supply and WHAM there goes my processor for not having heat sensors. Stupid dell power supply. Rocket fish will at least deadlock my system without damaging my hard disk.
If OpenBSD itself can detect operating systems with varying levels of success (see pf.os finger printing - http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os&sektion=5&manpath=OpenBSD+4.4) it stands to reason other programs can use this same idea.
Is our slow bruteforce botnets learning?
Sheer Volume Versus Adaptability
Sheer volume could target DNS servers themselves, this would only af
Please do not mention self-learning. That's merely musing. There's no self-intelligence here, it's timed with Christmas too catch IT departments offguard with unionized labor. It's just that humans control the fast botnets and make them slow by putting in delay timers. No one in the real IT world will be affected and no personal accounts will get stolen. I can crash MSN clients with some fast typing because MS is unstable, but the Windows XP is at it's prime.
Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.
Now excuse me while I go get a back massage on from the hot ladies serving me martinis on the beach in Tahiti. Me and my fellow whitehats are making millions off you poor fools. If you only knew!
(adjust your tinfoil good sir, you are blocking the wrong signals)
I use OpenBSD for all my firewall and have it block all access to all ports and all IPs once a fail ssh login attempt is made one time - so I leave all my systems on port 22.
Suck on that botnet bitches.
Of course, we can change our ports, upgrade our packages and more...on our systems. But we have accounts on other systems and while we trust those systems to lose our data only rarely or be down from time to time, we have to assume that our password will be stolen and harvested along with our username from one or more of those in the future. Just imagine friendster when it's down to one underpaid intern of a sysadmin.
So the moral of the story is, have a different password for each system and keep track of them whatever way you want(meatspace isn't bad but encrypted is better). Yeah, it's a hassle but it's actually not too bad since browsers can remember passwords and if a box or laptop gets stolen or hacked, you just spend a couple hours revving all your passwords.
I do computer and network security for a university.
This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.
If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.
At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.
Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.
Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.
The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.
This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.
It is easy for my university to detect and respond to these attacks. We detect it in three different ways.
1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data.
2) It is trivial to pick off this attack using a SSH honeypot.
3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.
Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.
The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.
I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.
Miles
(this is my first post here, BTW--been lurking for years.)
Welcome to Slashdot.
Here's your first project: Build a fembot, preferably one that looks like Kristanna Loken or Summer Glau.
Alternatively, you can instead teach us how to get and keep girlfriends.
It's nothing special. Just get someone's password, then dump it into the list. These seemingly random login attempts likely come from logins that were found in other attacks. Get a winner, keep it. Then add it to a list of thousands more and you'll have a high chance of hitting the logins of those people who use the same name:pass over all their accounts. ...and that's why you don't make your bank password the same as your slashdot password.
ssh has alternatives to passwords. Use them. If you can't disable password-based authentication, set your password to a random 128 character string ( head /dev/urandom | sha512sum, for example- though while you can definitely type this easily, some "password checkers" say that this is not secure and reject it ). You don't need to write this password down, as long as you've set up your key.
-- 'The' Lord and Master Bitman On High, Master Of All
On my OpenBSD webserver I noticed a recent spike in hacking attempts. After checking with my clients with regards to where their web traffic and sales come from I discovered that virtually none needed to have their webpages displayed offshore.
I then blocked the entire Asia Pacific Network. I am talking about the entire CIDR range from the offending ISP. I also blocked select addresses in Russia, Turkey, Germany, Poland, Brazil, etc. Every few days I check the logs and add a few more blocks if need be.
While I freely admit this move is quite drastic in nature and not possible for everyone, the illegal activity has dropped off to virtually nil. My Bandwidth utilization is way down as well.
The way I see it, I am more than willing to accept the loss of 1% legitimate traffic for 99% that isn't. If these people can't play nice, why let them play at all? I am naive enough to think that if more and more people adopted this policy, perhaps the offending governments would stand up and take notice. They seem to be able to control whether or not their citizens are able to look at pro-democracy information. If they cared about the illegal activity as well, they could do something about it. Until then, they'll remained blocked and I sleep very well at night.
Would a bayesian filter work on this? The filter would match bad userids against the set of valid ones; bad userids that do not resemble any valid id by more than X% will score a demerit against the host that submitted the bad ID. Enough bad ids will probably identify an attacking bot, which can then be blocked. This is a slow defense, but the attack itself is slow and will probably statistically require far more attempts than a bayesian filter requires to identify the attacker.
Since the attacker doesn't know the set of valid userids on the target system, it's hard to see how this could be countered. Spam authors know how normal email looks, but still can't defeat bayesian spam filters.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.) There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?
And yet there is still the most obvious reason they avoid OpenBSD systems. Pr0n. Yeah, that's right, I mean c'mon, OpenBSD didn't exactly make a name for itself with it's killer video codec support and HD streaming capability.
What the hell is the point in cracking your OpenBSD file server only to find a shitload of PGP archives...Boooring.
I have long ago changed the way I log in into my servers; my open port (nonstandard) points to sshd that uses keys and lets you login into a xen honeypot; only when two successful logins from predetermined IP addresses succeed at the same time, then a sshd port to the actual virtual server that I am trying to protect is opened (again allows only logins using keys) and it does this with a delay of 15 seconds, keeping the port open for 60 seconds, then closes it.
Was not so hard to implement. Can be easily made much more complicated while retaining end user transparency.
Of course, should someone get my private keys and pass phrases, and the local scripts - it becomes easy to gain access. But these keys are on 3 systems (local and the two mentioned above) and I made sure that the pass phrases for the keys I did not write down anywhere in compliance with all the self imposed security policy requirements.
The problem is that I can not log in anymore, and have lost access to all my special pron! Any idea, what gives?
Haven't seen anyone mention this but... how about patching sshd so that an attacker can't tell the difference between a connection failing because of a bad userid or because of a bad password/key? Let them sit and spin (a tarpit?) trying to break into that "amanda" account they think I have - or blow out their database thinking every host has every possible userid in the book.
I think creating a spammable contact form is kind of a right-of-passage for web developers. Everybodies first will eventually get used for spamming. Hell, I'm just as guilty of putting out a contact form that was susceptible to header injection.
You only make that mistake once though and the lessons you learn from it teach you all kinds of lessons about cleaning up tainted user input.
Maybe "contact form header injection" is kind of like the chicken pox. Most of us get infected when we were "kid developers" and never get it again.
If you have the keywords "email" and "form" and probably "addresses", I bet you got hit with a script. I see those to on my contact forms. I suspect these bots are capable of trolling through google search results and then basically launching automated probes against the targets.
The keys to securing your contact form (or a "email a friend" form) is to sanitize anything that will wind up in the mail headers. The easiest way to hack your form is to simply add a CRLF to any bits the spammer thinks goes into the header. If the mail library you use is stupid (2004 versions of PHP, I'm looking at you), it will gladly allow it and let the spammer add headers of their own (like a list of CC:'d addresses).
Sanitizing for those are a bit easy -- dont let the user control your subject line and validate email addresses (using a well known API, not your own!). Strip out anything that doesn't belong (CRLF's for example, anything that would separate multiple email addresses, etc). Ideally your library would do this for you, but not all do (cough, 2004 PHP)
The hard bit is to keep spammers from using your "email a friend" form to send out brute-force spam. You can't ban IP's after all, they use their botnet. Thankfully, I've never really seen this happen. I think it is because doing this is just too slow and thanks to botnets, they can get random, legit IP's much easier.
The thing is, your method of "block the IP address" only works because the botnet is allocating maybe a hundred of their computers to the cause. I've seen this too even with comment spammers - they use only a handful of their IP space.
If these people wanted to, a spammer could just use their entire botnet and round-robin using each IP address once. On a 100k botnet, it would be pointless to even try to block the IP's. For starters you couldn't safely discern which are attacks and which are valid.
The problem really is there are a lot of obsolte ideas floating around till. Namely that blocking IP's are an effective tool to combat any kind of network abuse. Or that IP's even have any meaning at all--IP addresses are random and an attacker can and does hop from hundreds or thousands of them during their "work". You simply cannot stop attackers by just banning IP addresses or you'll wind up banning half the internet.
It is best for all of us to start treating IP addresses as opaque, meaningless things and find better ways to deal with abuse. The IP address as a security tool has gone the way of the dodo.
I could be talking out of my ass too though. I'm not all that familiar with the guts of the modern botnet and maybe I'm discounting the cost incurred when a botnet owner "reveals" what they own. I am assuming they could care less if grandma's machine gets exposed as part of the bot. After all, in the end isn't it grandma's box knocking on your SSH door?
Just wait until the botnet guys hack up the miniscule $185,000 USD required to purchase .corn and you fall for it too. Or you wont (like most of us) but at the cost of spending more time during your day manually parsing URL's to watch for paypal.com instead of paypal.c0m or paypal.corn. Good times. Good times.
The Buy-your-own-TLD crowd is probably funded by the botnet lobby (who is funded by the modern day mob)
Watching comment spammers in a tail -f'd access_log is a sight to behold.
They always fuck up though. Sure they might feed you a cookie you gave one of their brother computers, but the User-Agents are almost never 100% the same. Plus a lot of them do a bad job of screen-scraping and will usually POST to a slightly mis-formed URL. Of course, they'll also POST instead of GET (like the form says) or GET instead of POST. Watch for that.
Since you can't bind to the IP address (proxy and AOL), I you can weed some of these assholes out by binding the cookie to the User-Agent. You can also slow the assholes down by putting a one-time token on each form... if you see that token twice, they are using a "stale" form. Spammers already figured this out though, but it can help mitigate other attacks like XSS attacks.
Good times. Good times.
But seriously, if any of you have a forum, I highly recommend you sit down and "tail -f" your access log and watch these assholes. It is a sight to see.
I wasn't talking about the product to use to do it, but a detection approach that isn't present in any product I know of.
I described how to detect a specific kind of behavior that would be unique to the attack and the attacker, and to which attackers can not mount a meaningful countermeasure. Implementing the filter requires statistical analysis of not just incoming data, but also resident data (the userid list).
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
Use IPTables to redirect port 22 to www.fbi.gov
Hello friend,
You seem to be disadvantaged at the moment in not having a lifetime partner. Please click here to find hot singles in your area:
http://tinyurl.com/6y7jgl
John was a good boy, but decided to deliver papers every day. His water bottle covered the monster in goat cheese, dripping feta all over the refrigerator. Entranced by the spoon, susan covered the salad with some plastic wrap, then turned over the next page of the book.
[this botnet parody message was brought to you by the letter 'Y']
Ask me about repetitive DNA
Problem is, if you block IPs for attempting bad usernames and one of the botnet zombies gets a chance to connect a second or third time, then the botnet will start targeting that username (since it "knows" it's valid). A better approach would be to _randomly_ block IPs that attempt bad usernames, but after enough sampling, the botnet could determine which username attempts never get blocked immediately and would focus on those. Best approach of all would be to give out no information regarding validity of usernames, and just ban on failed attempts regardless of UID, sharing the ban list with other servers to help mitigate the distributed IPs. If a legit user is trying to ssh in, and gets banned, they should have your phone number / email address.
I saw this stuff ramp up on my systems earlier this year, but it dropped off before the Dec 2nd /. article. Now I've just got the standard brute forcers using one IP address for several hundred attempts (presumambly hundreds; they never get too far). My guess at the time was that they had compromised all the machines they needed or had gotten too many of their zombies targeted by others and where waiting until the zombies got a new DHCP lease.
It scared me at first because I thought: wow, fail2ban and denyhosts can't handle this (denyhosts.net syncing isn't open source), but then I looked at it from a sniper analogy (sorry, been playing too many army games lately):
We can't tell where the enemy is, and every once in a while, they let loose with a machine gun blast, so we'd just snipe that one guy (throw up a firewall, maybe report to authorities) and wait again. Now, they're shooting one machine gun round every hour, but they have enough people that it's like one gunner who moves around a lot. So, now our snipers can mow the lot of them down (assuming there are enough sysadmins that can be bothered to report zombies to ISPs). Soon they'll discover that the old method yielded a better ratio of success/casualties.
The proper links contain I think I may need to get the A5 Nerve Checked, the limbic system seems to be in a perpetual stroke but the medication is still present. I can't use love/lust/sex to calm down though since I can't maintain a relationship. House, MD is classic http://en.wikipedia.org/wiki/Hans_Asperger Aspergeric, but there's no differentiation in the APA's bible. I am my own fucking doctor, thankyou unless denied perjury.
Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.
...
Don't try to squirm out of your responsibility by casting aspersions or weaseling. If any part of your so-called clean up involves letting clients continue to run MS Windows, the you *are* effectively helping to spread the botnets you claim to be cleaning up.
Responsible employers don't let staff install MS crap on a server or anything else plugged into the LAN or Wifi.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Something that always evolves
Now, how the hell do you punctuate that?
How many more years will slashdot have an off-by-one error on your Score in your profile?
Behavioral and statistical analysis has been coupled with Intrusion Detection Systems (IDS) do exist. They are known as Anomaly-Based IDS. What I described is a Signature-Based IDS, which is much more common than the Anomaly-Based type. I suspect the reason for the prevalence of Signature-Based is they are easier to design, and require much fewer resources.
In my personal experience, Signature-Based Prevention systems are quite effective against this type of attack. Which is why I pointed it out in the first place. If you have a failed SSH login signature, which hits a certain threshold, that is certainly suspicious behavior. I think it is a moot point to even check whether the userid is in the passwd file. Because, from my point of view, there is no difference between an attacker failing a login from an invalid userid or a login as root, backup, or user666 for that matter. Any way you look at the situation, it is still an attack, and one that can be dropped.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
I've tested some portknocking tools and if you want a somewhat secure server i'd say that portknocking is the way to go.
If you don't want portknocking there are several program such as denyhosts that looks thru your logs and add hosts that fail to login X number of times to the /etc/hosts.deny.
Neat thing with denyhosts is that you can tweak it as you see fit. And that there is a global list of IP's that are known for being bruteforcing hosts.
If you want a totaly secure server, you pull the ethernet cable. ;)
Otherwise, Read The Fine Manual and learn some
It might be worth blocking ALL of eastern europe/russia/china/asia for ALL ports, but port 80 if you run a webserver.
I doubt you have friends there or that you will go there your self.
Are there any easy to use IP generators/lists based on geo that can output it for any purpose?
Liberty freedom are no1, not dicks in suits.
The filter I propose isn't based on "submitted userid == any valid userid" but "submitted userid (is X% similar to) any valid userid". X would be a tunable value. In spam email filters, this usually works out to "if incoming email (is less than 20% similar to) previously accepted emails" or some such. It turns out that spam emails, even if containing dictionary words, still don't resemble human communications when bayesian statistics are applied to it.
Since the attacker doesn't know what userids are valid, the chance of any guessed userid being more than a few percentage points similar to a valid userid is vanishingly small.
Try it - pick a thousand "valid userids" out of the dictionary. Now pick a thousand more, omitting variations like "library - librarian". How many attempts will have more than a few characters in (almost) the same position and (almost) the same order as the "valid userids"?
The reason to use the userid list is because it is invisible to the attacker. The only result the attacker sees is suddenly one of the bots is blocked from the target host. No reason why, and no indication which of the last 20 or 100 or so userid attempts were "way off" and thus contributed to the decision to block.
A valid login attempt with a typo in the userid will be right in all but 1 or 2 characters nearly all the time. The bruteforce attacker will be wrong by more than 1 or 2 characters nearly all the time. Statistically, that's significant.
Since the block doesn't happen because of a single match or failure to match the list, the attacker learns nothing. The attacker doesn't even know the bayesian testing is occurring, thus the attacker would have no knowledge of which its attempted userids was valid or close to valid. It doesn't matter even if the attacker knows this filter is in place. Blocking the entire botnet will be a function:
Block = (v/b)*p
Where v == count of valid userids
b == count of hosts in the botnet,
p == average number of attempts required to guess a password.
B == point at which entire botnet is blocked.
With strong 8 character userids and passwords, the botnet would require billions of hosts in order to breech the system before being blocked.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
Worlds #1 assassin, working for the worst guys, ie govts, suddenly has his personal on the side self defense course website/server hacked.
He gets mad, finds some funny geeks (pick some actors, seth green). Then he goes out on a wild journey, finding the spam guys in far out counties, taking them out ala Bourne style.
Mix geeks and have the assassin be angelina or someone hot with a gun.
Liberty freedom are no1, not dicks in suits.
distributed defense.
Denyhosts. ( http://www.denyhosts.net/ ).
It works.