shh bruteforce attacks - Community & Forums Related Discussions

Users browsing this thread: 5 Guest(s)
vompatti
Long time nixers
As you have noticed, our IRC server was done for about on day. Before it went down (I dont know why it went), there were bruteforce attacks going on.

I noticed that my box has been under attack for couple days know but nobody hasnt gain any access.

Now, you should check your host(s) logs and see if all our servers is/were under attack.

Heres some of IPs where attack came from:
113.149.86.66
128.204.194.99
74.124.206.30
101.44.1.134
95.163.76.42
61.253.249.157
91.191.166.95
60.28.183.71
188.95.234.6
63.217.116.187
What's programmers favorite thing to do? DELETE CODE!
Git: https://github.com/vhakulinen
oh no you didnt
Amzo
Members
These attacks aren't targeted at anyone specifically, rather it's automated programs searching a range of IP addresses and brute forcing them.

However, if you use weak passwords, I would change them and add some Iptable rules to filter any bruteforcing.

The majority of these brute force attempts originate from china and have been caught by some honey pots.

Code:
ptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
jmbi
Long time nixers
Well, I hope they have fun trying to crack my 44 character password.
venam
Administrators
Isn't there a limit of attempt per minutes?
If not you should definetelly do it.
/etc/security/limits.conf
Amzo
Members
I already setup a firewall rules to limit the number of attempts to ssh per second. Then to block that Ip if 3 attempts have been made by the IP in 1 minute.
jolia
Long time nixers
Yeah IPTables would be nice.

By the way, you can use Fail2ban which is really izi and fast to set up!

Or just change the SSH listening port ;)
jmbi
Long time nixers
These ssh attacks just get better and better...

[![image](http://i.imgur.com/9KdeK.png)](http://i..../9KdeK.png)
jmbi
Long time nixers
i honestly have no fucking idea
Dritz
Long time nixers
Dude, your setup, it's so slick!

Have you posted the specs in the desktop pics thread?

LOL BTW.

(Sorry for being OT, but I had to ask. And I figured that PMing wouldn't stimulate anyone other than me.)
"Willful ignorance is a crime"
venam
Administrators
How comes all the requests comes from 1 single IP and it's not blocked. However, I see that there's at least 4s between each attempts.
jmbi
Long time nixers
There are small attacks that come in groups, each one coming from a new IP address (most of them reside in China somewhere). There are usually 3-4 different attacks each day, and each individual attack looks like the one in the screenshot.
gurhush
Long time nixers
Doubt it's Terminal. It's likely random people in China (most sensical candidate) or someone with an agenda against us AND random people in china.