Re: SSH probe attack afoot?
Date: 02/08/05

  • Next message: Joe Egloff: "Re: SSH probe attack afoot?"
    Date: Tue, 08 Feb 2005 17:25:43 +0000

    Stephen Warren wrote:
    >> On 6 Feb 2005, at 15:09, Bernie Cosell wrote:
    >>> We're now getting hammered with the third round of ssh probes in the
    >>> last
    >>> four days [one from CA, one from Brazil and one from Virginia]. I was
    >>> wondering: is there some virus or the like floating around now that
    >>> leaves an ssh-hammering zombie in its wake? Or is it just coincidental
    >>> that we have gotten three floods?
    > I got fed up with seeing this kind of thing in my logs.
    > So, I switched SSH to a non-default port, and it all went away:-)
    > Sometimes, security through obscurity is very useful. Now at least I
    > have a small SSHD logfile, so I'll pay more attention to it if something
    > shows up in it.
    > Of course, depending on your user-base, you might have to spend a lot of
    > time on user-education after this change.

    I found that all these bruteforce ssh attacks used something called
    "libssh" and quite clearly identify themselves as libssh when they
    connect and handshake..

    I made a simple little patch for sshd which detects certain client
    strings like this, and drops the connection.. It also logs legitimate
    connections, so i can still see the attempts but they have no chance of
    success, and syslog will cut them down to "last message repeated 50
    times" etc..

  • Next message: Joe Egloff: "Re: SSH probe attack afoot?"

    Relevant Pages

    • Re: How Stupid Is Mottershead?
      ... From the USCF Issues Forum this morning. ... The logs were being generated by software that I ... USCF Forums database, I could have tampered with that, too. ... Once the connection is established between an IP ...
    • Re: Racoon
      ... Debian racoon Logs; ... 22:27:11 ipsec,debug,packet HASH computed: ... I want to make using racoon IPSEC connection. ...
    • Re: SBS Dial-up Connector - Connects unexpectedly.
      ... If you have turned up the logging on RRAS and made sure it logs everything, ... it should turn up in the systemlog on the server. ... that the connection can't be made. ... > discount spyware on my client PC's. ...
    • RE: Computers losing their connection
      ... I am getting some event errors in the security logs. ... > Have you looked at the logs on the server? ... they have to restart their computer to regain the connection to some ...
    • Re: Unable to establish the VPN connection. The VPN server may be
      ... Router DHCP server ... >> or security parameters may not be configured properly for this connection. ... What about the ISA logs? ... If you can get a VPN connection but authentication times ...