[nycbug-talk] SSH attacks

Yarema yds at CoolRat.org
Wed Sep 10 17:18:42 EDT 2008

Steven Kreuzer wrote:
> Yarema wrote:
>> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
>> the past week or two?
>> This annoyed me enough to get me reading The Book of PF.  I've been
>> using the BlockSSHd script to block and send me notices by watching
>> auth.log.  Problem was that durring heavy attacks my INBOX would get
>> fooded.  And the reaction time was a bit slow.
>> A couple of meetings ago Steven Kreuzer suggested I use PF's
>> max-src-conn method.  Works like a charm. 
> Glad I can help. I will send you the routing number for my Cayman Island
> offshore holding subsidiary
> and you can just deposit my consulting fee into that
>> I also use the pam_af plugin.  It never gets a chance to block anything,
>> but provides useful info on when and where a login was coming from.
> Out of curiosity, would you be able to take the IPs you are blocking and
> try and figure out
> the country most of these connections are coming from?
> If you don't ever expect to get connections from China and Korea, you
> can load the following
> into pf and pretend like they don't even exist.
> http://www.openbsd.org/spamd/chinacidr.txt.gz
> http://www.openbsd.org/spamd/koreacidr.txt.gz

Just found an interesting resource:

The Targets/Day graph for September correspond to what I've been
experiencing.  Any idea how they collect the data?

More information about the talk mailing list