Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Weird SSH attack last night and this morning (still ongoing)

from [Erin Carroll] Network Security [Permanent Link]
Subject: RE: Weird SSH attack last night and this morning (still ongoing)
Date: Wed, 7 May 2008 10:53:35 -0700 
Gary,

I am seeing the exact same traffic pattern & attempts as of ~10:20pm PST:
Single attempts to remote root ssh from disparate IP's with few (if any)
repeated source location. So now we have a sample size of 2 :)

When I saw this hitting my servers last night I thought it an odd attack
pattern but surmised it was either a targeted slow attack with spoofed IP's
or a "slow roll" botnet using throttled connects to try flying under the
radar for alerting. I was leaning toward the latter and even more so now
that I see my organization isn't the only one.

Just block root ssh and apply a source IP whitelist for valid non-root
allows if you require remote ssh for day to day. I consider it bad security
practice to allow remote root ssh anyway. People should use user accounts
and a sane sudoers config instead.



--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@amoebazone.com
"Do Not Taunt Happy-Fun Ball"



-----Original Message-----
From: Gary Baribault [mailto:gary@baribault.net] 
Sent: Wednesday, May 07, 2008 5:27 AM
To: incidents@securityfocus.com
Subject: Weird SSH attack last night and this morning (still ongoing)

I don't know what is going on last night and this morning ... I have 
three Linux servers facing the Internet, two on cable modems and another 
on a static IP/commercial connection and this last one is a gateway to a 
Web/FTP/SMTP/Pop3/NTP Linux based system.

I have DenyHosts installed on all three and have blocked about 75 
attempts ..  from known compromised adresses .. The log shows 
(obviously) that there where even more attempts from adresses that are 
unknown to DenyHosts but there was only one login attemps per adress and 
it was with the Root account .. which is obviously blocked in my sshd 
config ..

Of the three machines, one of them only had about 10 attempts, but the 
other two had about 200 attempts .. all of them with only 1 try with the 
user Root ..

Is any one else seing this? or am I being targeted? This is still going 
on now .. and it started arround 10:00 last night GMT+4

-- 
Gary Baribault
Courriel: gary@baribault.net
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault
Next by Date:  Re: Weird SSH attack last night and this morning (still ongoing), bugtraq
Previous by Thread:  Re: Weird SSH attack last night and this morning (still ongoing), Bartholomew Mallio
Next by Thread:  Re: Weird SSH attack last night and this morning (still ongoing), Gary Baribault
Indexes:  [Date] [Thread] [Top] [All Lists]