[nycbug-talk] SSH attacks
Yarema
yds at CoolRat.org
Wed Sep 10 17:18:42 EDT 2008
Steven Kreuzer wrote:
> Yarema wrote:
>> Hey, is anyone else seeing an upsurge in distributed SSH attacks over
>> the past week or two?
>>
>> This annoyed me enough to get me reading The Book of PF. I've been
>> using the BlockSSHd script to block and send me notices by watching
>> auth.log. Problem was that durring heavy attacks my INBOX would get
>> fooded. And the reaction time was a bit slow.
>>
>> A couple of meetings ago Steven Kreuzer suggested I use PF's
>> max-src-conn method. Works like a charm.
> Glad I can help. I will send you the routing number for my Cayman Island
> offshore holding subsidiary
> and you can just deposit my consulting fee into that
>
>> I also use the pam_af plugin. It never gets a chance to block anything,
>> but provides useful info on when and where a login was coming from.
>>
> Out of curiosity, would you be able to take the IPs you are blocking and
> try and figure out
> the country most of these connections are coming from?
>
> If you don't ever expect to get connections from China and Korea, you
> can load the following
> into pf and pretend like they don't even exist.
>
> http://www.openbsd.org/spamd/chinacidr.txt.gz
> http://www.openbsd.org/spamd/koreacidr.txt.gz
Just found an interesting resource:
http://www.DShield.org/port.html?port=22
The Targets/Day graph for September correspond to what I've been
experiencing. Any idea how they collect the data?
More information about the talk
mailing list