The Low-Intensity, Brute-Force Zombies Are Back 203
Peter N. M. Hansteen writes "In real life, zombies feed off both weak minds and the weak passwords they choose. When the distributed brute-force attempts stopped abruptly after a couple of months of futile pounding on ssh servers, most of us thought they had seen sense and given up. Now, it seems that they have not; they are back. 'This can only mean that there were enough successful attempts at guessing people's weak passwords in the last round that our unknown perpetrators found it worthwhile to start another round. For all I know they may have been at it all along, probing other parts of the Internet ...' The article has some analysis and links to fresh log data."
SPA / PORT KNOCKING - Bye Bye Brute (Score:4, Insightful)
Roll out SPA / Port knocking, their IP shouldn't be touching your sensitive ports without a rule, table, or chain specifically allowing access. FORGET THE PASSWORD!
Another solution (Score:3, Insightful)
Re:why are passwords even allowed? (Score:3, Insightful)
grep -v for the win!
Re:Protect yourself (Score:3, Insightful)
Re:why are passwords even allowed? (Score:3, Insightful)
Re:My server got attacked last Thursday (Score:3, Insightful)
Um. You realize, of course, that remote desktop is a lot less secure than ssh, right?
It doesn't matter if people are trying to pick the lock on your door. What matters is whether they can pick the lock. Use RSA-based authentication, and no amount of brute force is going to improve the odds of their breaking in to the point where it's worth bothering.
Remote desktop, on the other hand, is completely brute-forceable. If you're not seeing brute force attacks, it's because nobody's bothering, not because you're not vulnerable.
Re:why are passwords even allowed? (Score:2, Insightful)
Re:why are passwords even allowed? (Score:2, Insightful)
Re:why are passwords even allowed? (Score:3, Insightful)
Re:disabling root login is idiotic (Score:1, Insightful)
Is that good reason: You're an idiot?
If someone is logging into your root account with your key, then it doesn't matter, you're already thoroughly compromised.
If someone is logging into your key-only root account WITHOUT your key... you have much bigger problems.
There is no case where disabling root login will protect you, except perhaps from yourself.
Re:iptables goodness (Score:2, Insightful)
Wouldn't it be better to TARPIT them rather than --reject-with tcp-reset? That said, if they are generating one query from each IP address and trying to log in more than 300 seconds apart this may have no effect. Perhaps all firewalls without ssh enabled should TARPIT attempts to connect to slow this down. Perhaps one could create a script on all computers to change the ssh port, assumes you are using a nonstandard high port, as a function of time and to tarpit all other ports.