LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Strange attack pattern? (https://www.linuxquestions.org/questions/linux-security-4/strange-attack-pattern-698105/)

unixfool 01-22-2009 01:34 PM
That won't work with a targeted attack, as anyone can probe an open port to determine what's actually running on the other end (a simple telnet to port xxx will show an SSH banner, no matter the port), but I get what you're saying.

I donate my logs to security sites (sans.org/dshield.org), so I'd prefer to log and block such activity. I think its prudent to watch such activity, even though its being dropped. I compared my SSH logs with my FW and Denyhosts logs and found that some things weren't being blocked by Denyhosts. The FW would let the traffic in and SSH would deny it while Denyhosts wouldn't block. This is why layering security is good. When 2 of 3 layers don't work, that last layer is the very last defense. The distributed attacks didn't affect me but it was a definitely smart thing to do (if you're a hacker) to dodge thresholded blocking. It pays to understand what's in your logs and how to mitigate or remedy security issues. Historical log trending can ferret out less obvious security issues that may or may not affect the masses...better to understand now than be blind-sided.

catworld 01-22-2009 03:30 PM
Yep, takes a half second to see ssh running up high, but it takes eyes-on to know it. It wouldn't be hard to script automated discovery of services on non-standard ports, but for now it appears the script-kiddie-download hax0rs hit on 22 or nothing.

I don't log port 22 at the firewall, but I do monitor everything in and out by other means. I've never seen any attempt to crack secure shell.

God forbid one of them discovers grep...

/dev/me 01-23-2009 10:52 AM
Hey thanks for the links, yes that seems quite similar. Distributed brute force.... nasty business


Quote:
Originally Posted by catworld
Yep, takes a half second to see ssh running up high, but it takes eyes-on to know it. It wouldn't be hard to script automated discovery of services on non-standard ports, but for now it appears the script-kiddie-download hax0rs hit on 22 or nothing.
Indeed I think running ssh on a non-standard port is one of the best pseudo-security measures you can take. I've not had a single attack on my real ssh port ever since I took that step, now almost a year ago. It's not like real security obviously, because a human that knows what (s)he's doing can easily avoid it. But with all the kiddies never even reaching the logs, this attack will stand out like a beacon.



Quote:
Originally Posted by catworld
God forbid one of them discovers grep...
Aw! Do you think it's time to start negotiating terms of surrender?? If teh Üb3r proCr@xXx0rz read the grep man page, we might as well give up. :o

unixfool 01-23-2009 12:24 PM
Quote:
Originally Posted by catworld (Post 3417836)
I've never seen any attempt to crack secure shell.
What's your public IP? LOL...j/k! :)

catworld 01-23-2009 12:42 PM
:D

It's bad enough Yahoo groups lost my email address to the spammers...


All times are GMT -5. The time now is 06:42 PM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page