Re: SSH probe attack afoot?
Date: Tue, 08 Feb 2005 17:25:43 +0000 To: firstname.lastname@example.org
Stephen Warren wrote:
>> On 6 Feb 2005, at 15:09, Bernie Cosell wrote:
>>> We're now getting hammered with the third round of ssh probes in the
>>> four days [one from CA, one from Brazil and one from Virginia]. I was
>>> wondering: is there some virus or the like floating around now that
>>> leaves an ssh-hammering zombie in its wake? Or is it just coincidental
>>> that we have gotten three floods?
> I got fed up with seeing this kind of thing in my logs.
> So, I switched SSH to a non-default port, and it all went away:-)
> Sometimes, security through obscurity is very useful. Now at least I
> have a small SSHD logfile, so I'll pay more attention to it if something
> shows up in it.
> Of course, depending on your user-base, you might have to spend a lot of
> time on user-education after this change.
I found that all these bruteforce ssh attacks used something called
"libssh" and quite clearly identify themselves as libssh when they
connect and handshake..
I made a simple little patch for sshd which detects certain client
strings like this, and drops the connection.. It also logs legitimate
connections, so i can still see the attempts but they have no chance of
success, and syslog will cut them down to "last message repeated 50