Re: Re: Attacks on ssh port
From: Craig Edwards (brain_at_winbot.co.uk)
Date: Sat, 18 Sep 2004 14:05:21 +0100 To: "Patrick Proniewski" <email@example.com>, "Willem Jan Withagen" <firstname.lastname@example.org>, "Liste FreeBSD-security" <freebsd-security@FreeBSD.ORG>
as ive read this is an attack from some kiddie trying to build a floodnet.
records show that most of the compromised boxes are linux machines which end up having suckit rootkit and an energymech installed on them, i dont know if the attacker has ever gotten into a freebsd machine and what they'd do if they did.
On my machines i have a dummy shell which APPEARS to be a successful login but just returns weird errors (such a "Segmentation Fault") or bad data for all commands that are issued, while also logging their commands. im tempted to put this on the 'test' account and let them in on this shell to see what is attempted. just to clarify, if i did such a thing theres no way for them to break out of the shell, right? its a simple perl script, so if the perl script ends, theyre logged off? This is what i expect to happen however i don't want to risk it unless its 100% safe... And just to clarify again all commands that are issued from this fake shell never reach the REAL os, even "uname" returns a redhat 7.2 string when the real machine is actually freebsd 5...
>On 18 sept. 2004, at 14:18, Willem Jan Withagen wrote:
>> Is there a security problem with ssh that I've missed???
>> Ik keep getting these hords of: Failed password for root from
>> 126.96.36.199 port 39239 ssh2
>> with all kinds of different source addresses.
>> They have a shot or 15 and then they are of again, but a little later
>> on they're back and keep clogging my logs.
>> Is there a "easy" way of getting these ip-numbers added to the
>> blocking-list of ipfw??
>not a ssh related problem, it's just a brute force attack, I'm
>experiencing this on every servers I have, more than 10 times a day.
>I'm really thinking about releasing the list of attackers IP to the
>public. As far as I know, it's a pack of compromised machines.
>email@example.com mailing list
>To unsubscribe, send any mail to "firstname.lastname@example.org"
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"