Spike in SSH attacks

Marc Nozell (marc@nozell.com) nozell at gmail.com
Mon Jun 21 09:54:41 EDT 2010 

FYI, I've been using sshguard for a few month to drop routes to sites that
are probing my server.

None of the docs seemed to be quite right, so I wrote up some notes on
getting it working debian/Lenny here:
http://nozell.com/blog/2010/03/09/sshguard-on-debianlenny/

You'll know it is working when you get stuff like this in the logs:

lordshiva:~# grep sshguard /var/log/auth.log
Jun 20 10:49:37 lordshiva sshguard[2660]: Blocking 211.254.130.116:4 for
>420secs: 4 failures over 542 seconds.
Jun 21 01:49:05 lordshiva sshguard[2660]: Blocking 217.118.97.58:4 for
>420secs: 4 failures over 6 seconds.
Jun 21 01:57:51 lordshiva sshguard[2660]: Blocking 24.39.144.137:4 for
>420secs: 4 failures over 780 seconds.
Jun 21 01:58:52 lordshiva sshguard[2660]: Blocking 217.118.97.58:4 for
>1680secs: 4 failures over 6 seconds.
Jun 21 02:05:17 lordshiva sshguard[2660]: Blocking 24.39.144.137:4 for
>1680secs: 4 failures over 4 seconds.
Jun 21 02:50:04 lordshiva sshguard[2660]: Blocking 217.118.97.58:4 for
>0secs: 4 failures over 6 seconds.

<http://nozell.com/blog/2010/03/09/sshguard-on-debianlenny/>-marc

On Mon, Jun 21, 2010 at 9:28 AM, Benjamin Scott <dragonhawk at gmail.com>wrote:

> http://isc.sans.edu/diary.html?storyid=9031
>
> http://isc.sans.edu/diary.html?storyid=9034
>
>  Apparently attackers are going after "keyboard interactive"
> authentication, which is separate from "password authentication".  If
> you are using SSH public/private keys only, make sure you have
> "ChallengeResponseAuthentication no" set in your /etc/ssh/sshd_config
> file.  If you must use passwords, make sure everyone has a strong
> password, and consider using techniques like scan detection,
> IP-address access control, port knocking, non-standard port, etc.
>
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>



-- 
Marc Nozell (marc at nozell.com) http://www.nozell.com/blog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20100621/c2a39020/attachment.html

More information about the gnhlug-discuss mailing list