The Low-Intensity, Brute-Force Zombies Are Back

← Back to Stories (view on slashdot.org)

The Low-Intensity, Brute-Force Zombies Are Back

Posted by Soulskill on Sunday April 12, 2009 @10:39AM from the password-123456-letmein dept.

Peter N. M. Hansteen writes "In real life, zombies feed off both weak minds and the weak passwords they choose. When the distributed brute-force attempts stopped abruptly after a couple of months of futile pounding on ssh servers, most of us thought they had seen sense and given up. Now, it seems that they have not; they are back. 'This can only mean that there were enough successful attempts at guessing people's weak passwords in the last round that our unknown perpetrators found it worthwhile to start another round. For all I know they may have been at it all along, probing other parts of the Internet ...' The article has some analysis and links to fresh log data."

7 of 203 comments (clear)

Min score:

Reason:

Sort:

why are passwords even allowed? by rcpitt · 2009-04-12 10:42 · Score: 5, Informative

None of my systems allow passwords via ssh - and I run log-guardian.pl to "3 strikes - you're out" the idiots who do the brute-forces by putting them into iptables
Anyone with passwords turned on is not secure IMHO

--
Been there, done that, paid for the T-shirt
and didn't get it
Poor Odds by Nerdfest · 2009-04-12 10:46 · Score: 5, Informative

The odds of them getting into a system like this must be quite low, but I guess they're after the low-hanging fruit. Running your services on a high port rather than the default reduces this, as does disabling password login and using 2-factor authentication. Quite easy to do, and very, very secure.
Oh... by Perseid · 2009-04-12 10:56 · Score: 5, Funny

...you mean zombie PROGRAMS. Damn.

[puts shotgun down]
Protect yourself by Matt+Perry · 2009-04-12 11:02 · Score: 5, Informative

Use SSH keys in addition to passwords. Disable ssh root logins. Use the AllowUsers command in sshd_config to restrict what accounts can log in with ssh. Edit /etc/hosts.deny and add IP ranges for where you are unlikely to login from. Use iptables rules to block people who are hammering your ssh server from the same address. Use tools like Fail2ban and DenyHosts to block other abusers and share abuser information with other victims.

--
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
I'm safe... by hoytak · 2009-04-12 11:35 · Score: 5, Funny

I've now changed my password from Thomas to ThomasX, where X is a digit that I'm not telling.

--
Does having a witty signature really indicate normality?
1. Re:I'm safe... by spartacus_prime · 2009-04-12 15:47 · Score: 5, Funny
  
  I tried to make my password "penis," but it said it wasn't long enough. :(
  
  --
  If you can read this, it means that I bothered to log in.
iptables goodness by grasshoppa · 2009-04-12 12:48 · Score: 5, Informative

Once again, we have a built in linux goody which helps us out;
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --set --name sshattack --rsource
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --rcheck --seconds 300 --hitcount 3 --name sshattack --rsource -j LOG --log-prefix "SSH Drop: "
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m recent --rcheck --seconds 300 --hitcount 3 --name sshattack --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
The above allows three connections in a 5 minute period to port 22. After that it rejects any further connection attempts until the 5 minute timer is up.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!