Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Low-Intensity, Brute-Force Zombies Are Back

Posted by Soulskill on from the password-123456-letmein dept.

Peter N. M. Hansteen writes "In real life, zombies feed off both weak minds and the weak passwords they choose. When the distributed brute-force attempts stopped abruptly after a couple of months of futile pounding on ssh servers, most of us thought they had seen sense and given up. Now, it seems that they have not; they are back. 'This can only mean that there were enough successful attempts at guessing people's weak passwords in the last round that our unknown perpetrators found it worthwhile to start another round. For all I know they may have been at it all along, probing other parts of the Internet ...' The article has some analysis and links to fresh log data."

3 of 203 comments (clear)

  1. fail2ban and firewall won't help with this attack by baileydau · · Score: 1, Redundant

    Likewise - I use fail2ban with iptables to drop any packets from someone who fails auth about 5 times in a few minutes. I've toyed with the idea of adding them to a global blacklist for all servers in all locations, but in reality this solution works just fine.

    If you RTFA, they tell you that these attacks are coming from different machines, presumably so they don't trip such things as fail2ban et al.

    Looking at the logs he supplied, this is a _very_ slow attack, the attempts are many seconds, or even minutes apart. You would have to have a very guessable username / password combination for it to work.

    I would comment though that I'm not seeing anything like this attack in my logs. I personally use IPTables rules (using hashlimits) to limit 1 connection / IP per minute to my ssh ports. Typically, I see about 3-6 attempts per day (each only gets 1 or 2 tries before they get blocked). Doing an optical integration of my recent logs shows less than a dozen per day and they are not concentrating on any particular username (with the exception of root).

    Prior to using hashlimits, I used to get hundreds or even thousands of attempts per day. My record was over 6,000 attempts from a single host. One guy at work has reported over 30,000 attempts in a single day.

    I personally don't like the concept of fail2ban as it is permanently adding an IP address to your banned list. As most of these IPs are dynamic, keeping them in your banned list isn't really serving any useful purpose. I personally prefer a system that temporarily bans an IP.

    --
    Ever stop to think ... and forget to start again?
  2. Re:fail2ban and firewall won't help with this atta by SnowZero · · Score: 0, Redundant

    Fail2ban is actually configurable and temporary. Personally I've set it up to ban for an hour after 3 failed attempts. In the past this stopped most bots, who would go elsewhere if they were even temporarily banned. It looks like this new one is slow enough (<1 attempt/hr) that my current settings don't detect it. Of course, guessing username+password that way it'll take forever to get in, but it is kind of irksome.

  3. Re:fail2ban and firewall won't help with this atta by Sentry21 · · Score: 0, Redundant

    I personally don't like the concept of fail2ban as it is permanently adding an IP address to your banned list. As most of these IPs are dynamic, keeping them in your banned list isn't really serving any useful purpose. I personally prefer a system that temporarily bans an IP.

    fail2ban temporarily bans IPs. It removes them after a configurable time limit.