Re: SSH probe attack afoot?

j_at_65535.com
Date: 02/08/05

  • Next message: Joe Egloff: "Re: SSH probe attack afoot?"
    Date: Tue, 08 Feb 2005 17:25:43 +0000
    To: incidents@securityfocus.com
    
    

    Stephen Warren wrote:
    >> On 6 Feb 2005, at 15:09, Bernie Cosell wrote:
    >>
    >>> We're now getting hammered with the third round of ssh probes in the
    >>> last
    >>> four days [one from CA, one from Brazil and one from Virginia]. I was
    >>> wondering: is there some virus or the like floating around now that
    >>> leaves an ssh-hammering zombie in its wake? Or is it just coincidental
    >>> that we have gotten three floods?
    >
    >
    > I got fed up with seeing this kind of thing in my logs.
    >
    > So, I switched SSH to a non-default port, and it all went away:-)
    >
    > Sometimes, security through obscurity is very useful. Now at least I
    > have a small SSHD logfile, so I'll pay more attention to it if something
    > shows up in it.
    >
    > Of course, depending on your user-base, you might have to spend a lot of
    > time on user-education after this change.
    >

    I found that all these bruteforce ssh attacks used something called
    "libssh" and quite clearly identify themselves as libssh when they
    connect and handshake..

    I made a simple little patch for sshd which detects certain client
    strings like this, and drops the connection.. It also logs legitimate
    connections, so i can still see the attempts but they have no chance of
    success, and syslog will cut them down to "last message repeated 50
    times" etc..


  • Next message: Joe Egloff: "Re: SSH probe attack afoot?"