[NCLUG] Distributed attack

grant at amadensor.com grant at amadensor.com
Thu Oct 1 13:54:03 MDT 2009 

Mine has gone from a few a day to hundreds per hour, if not hundreds per
minute.   The interesting things are how much it has increased, and the
fact that as far as I can tell, I have only seen each host once.  This
makes me think botnet.   Kind of cool in a twisted kind of way.  I like
the plan of never using the same host twice.   It make it much harder to
block, but even more interestingly, it give an idea of the scope and size
of botnets.


> I also have not had the issues you described (at least no more than
> normal, i always have
> random attacks).  But it is never is from a different IP each time.
>
> Blocking via a spam/compromised host list can be a good place to start.
> But IME it almost
> always does create false positives (if you have lots of people trying to
> access the server).
> So be sure to follow up with users and give them a way to contact you if
> they end up being
> one of those false positives.
>
> Always good policy to not allow root login via ssh also
> Cheers
>
> On Thu, October 1, 2009 13:00, Kasey Erickson wrote:
>> Though I'm not experiencing the immediate issue you've raised, I've
>> had good luck in the past with using denyhosts to filter out
>> blacklisted hosts.
>>
>> http://denyhosts.sourceforge.net/
>>
>> Kasey
>>
>>
>> On Thu, Oct 1, 2009 at 12:32 PM,  <grant at amadensor.com> wrote:
>>> I am seeing a distributed attack, with hundreds of SSH requests per
>>> minute, each trying to log on as root with a different password (it's
>>> OK,
>>> I killed the root password in /etc/shadow).
>>>
>>> Each is unique, and each is from a different IP address.   I wonder if
>>> it
>>> is a bot net.   Has anyone else been seeing this kind of stuff?   It is
>>> really only in the last few days that it has been happening.
>>>
>>> The attacks from coming from Windows boxes, a lot of them on dial up,
>>> and
>>> mostly in Russia and China, but with a few sprinkled about the globe.
>>>
>>> _______________________________________________
>>> NCLUG mailing list       NCLUG at nclug.org
>>>
>>> To unsubscribe, subscribe, or modify
>>> your settings, go to:
>>> http://www.nclug.org/mailman/listinfo/nclug
>>>
>> _______________________________________________
>> NCLUG mailing list       NCLUG at nclug.org
>>
>> To unsubscribe, subscribe, or modify
>> your settings, go to:
>> http://www.nclug.org/mailman/listinfo/nclug
>>
>
>
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
>

More information about the NCLUG mailing list