Michael Tautschnig schrieb: > Hi all, > > since two days (approx.) I'm seeing an extremely high number of apparently > coordinated (well, at least they are trying the same list of usernames) brute > force attempts from IP addresses spread all over the world. I've got denyhosts > and an additional iptables based firewall solution in place to mitigate these > since quite some time already and this seems to do the trick in terms of > blocking them fairly quickly. > > Nevertheless, I'd like to do something about it more proactively, so I also > contact the abuse mailboxes as obtained from whois. From time to time I do > even > see responses stating that counter measures have been taken. In the current > case, however, there rather seems to be a need for some more coordinated > action > instead of contacting the ISPs for each single IP -- this host might get > blocked/shut down, but there is little hope of a more thorough investigation, > trying to get closer to the root of these attacks. > > Well, probably I'm pretty naive in hoping that one could do anything about > that > at all, but maybe some of you are more experienced in security issues/dealing > with CERTs, etc. and have some ideas what could be done. > > Further, what do you guys do about such attacks? Just sit back and hope they > don't get hold of any passwords? Any ideas are welcome... > > Thanks, > Michael > > Hey there,
first of all, administering linux servers is what I do for living (yet). So this is just an advice from my experience as a linux user (also on my servers) and ML reader, please feel free to correct me if I'm wrong. ;) I believe that most of those 'attacks' (bruteforce attempts) are, (assumed that we're not talking about servers of banks or federal governments or something like that) rather random. They're scripts run against whole ranges of IP addresses and so far hit anyone I know running a server on the internet. I'm actually talking about that in a positive way. Meaning that most of those 'attacks', as I know them, are neither distributed, nor coordinated to one server. To cut a long story short, I dont't think you get a lot from reporting the IPs. I suppose the systems running the bruteforces are often either located somewhere in the world where you can't really do them any harm, or are infected or compromised systems of people that don't know that their machines are running such 'attacks'. So I thing reporting is pretty much the only thing you can do. You won't be able to press criminal charges against anyone I think. The problem with reporting the IPs is, that it can become a very big task, as the number of IPs denyhosts blocks increases. Another advice I can give is to change the SSH port. That minimized bruteforces to almost zero for me. So long. -- Cheers, Max Linux-User #477672 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
