What the question was asking was 'is anyone else' having one machine attacked in particular as opposed to all of their machines.
What I explained in the original post was that in all past instances (many times a day, every day) when one machine is attacked, the other is as well, since they are close to each other on a major cable modem ISP. In this case only one of the machines is being attacked, and it's a relatively stealthy attack. So the question is if anyone else is seeing the same type of activity. Gary Baribault Courriel: [email protected] GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/17/2010 11:04 AM, Benji wrote: > What? > > Think about what you said. > > Anyone. else. seeing. a. targetted. attack. > > Why would anyone else see a TARGETTED attack? > > anyway, no, you're not special, distributed SSH bruteforce is normal. > > > On Thu, Jun 17, 2010 at 1:44 PM, Gary Baribault <[email protected]> wrote: >> I just knew that people would say that, and that's why I specified >> that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's >> interesting to see new types of attacks. The question here is whether >> anyone else is seeing such a targeted attack. >> >> Gary Baribault >> Courriel: [email protected] >> GPG Key: 0x685430d1 >> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 >> >> >> On 06/17/2010 08:28 AM, [email protected] wrote: >>> >>> Have you ever considered obfuscated-openssh? >>> >>> http://github.com/brl/obfuscated-openssh >>> >>> I have a modified version of PuTTY available for it... >>> >>> http://www.mrhinkydink.com/potty.htm >>> >>> Still... you should change the freakin' port. >>> >>> -------- Original Message -------- Subject: [Full-disclosure] >>> targetted SSH bruteforce attacks From: Gary Baribault >>> <[email protected]> Date: Thu, June 17, 2010 7:48 am To: >>> [email protected] >>> >>> Hello list, >>> >>> I have a strange situation and would like information from the list >>> members. I have three Linux boxes exposed to the Internet. Two of >>> them are on cable modems, and both have two services that are >>> publicly available. In both cases, I have SSH and named running and >>> available to the public. Before you folks say it, yes I run SSH on >>> TCP/22 and no I don't want to move it to another port, and no I >>> don't want to restrict it to certain source IPs. >>> >>> Both of these systems are within one /21 and get attacked >>> regularly. I run Denyhosts on them, and update the central server >>> once an hour with attacking IPs, and obviously also download the >>> public hosts.deny list. >>> >>> These machines get hit regularly, so often that I don't really >>> care, it's fun to make the script kiddies waste their time! But in >>> this instance, only my home box is being attacked... someone is >>> burning a lot of cycles and hosts to do a distributed dictionary >>> attack on my one box! The named daemon is non recursive, properly >>> configured, up to date and not being attacked. >>> >>> Is anyone else seeing this type of attack? Or is someone really >>> targeting MY box? >>> >>> Thanks >>> >>> >>> Gary Baribault Courriel: [email protected] GPG Key: 0x685430d1 >>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 >>> >>> _______________________________________________ Full-Disclosure - >>> We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and >>> sponsored by Secunia - http://secunia.com/ >>> >>> _______________________________________________ Full-Disclosure - >>> We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and >>> sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
