[nycbug-talk] Analyzing malicious SSH login attempts

[Dru]

On Wed, 13 Sep 2006, Isaac Levy wrote:

>> Aaah, but isn't that the rub in security? Security after all is a myth, or 
>> at best, an arms race where you have to balance risk and effort :-)
>
> That statement gets the packet-fu award from me for this summer.


I'll pick it up next time I'm in NYC ;-)


> I made the mistake of running a traceroute on a particular host which was 
> part of the attack, using my laptop behind a remote DSL line where I was 
> ssh'd to the servers.
> Within seconds, around 100 ssh auth attempts were made to one mailserver 
> *spoofing the IP address of my DSL line*, in effect locking me out of future 
> SSH connections based on 'MaxAuthTries' in sshd_conf.
> I had a few shells already on that box, so I was able to continue working, 
> (or I guess I could have figured out how to flush MaxAuthTries somehow if I 
> needed to do it then).  That was less important to me though, for suddenly my 
> DSL line was ping-flooded with what must have been oversized packets, and I 
> went dark for a few seconds.
>
> Startled the bejeziz out of me at the time though, bad day, won't forget it.


I'm sure everyone on this list groaned and thought of at least one similar 
horror story of their own...

Here's a totally wild idea: remember the BSD success stories pdf? How 
about we put together a collection of "my sysadmin horror stories and what 
I learned from them" and have the PDF launched at NYCBSDCon? I'll 
volunteer to play editor if we can collect enough stories. Ike, you'd make 
a great graphics layout person if you have the time and interest.

Dru