Max Zimmermann schrieb: > Michael Tautschnig schrieb: > >> Hi all, >> >> since two days (approx.) I'm seeing an extremely high number of apparently >> coordinated (well, at least they are trying the same list of usernames) brute >> force attempts from IP addresses spread all over the world. I've got >> denyhosts >> and an additional iptables based firewall solution in place to mitigate these >> since quite some time already and this seems to do the trick in terms of >> blocking them fairly quickly. >> >> Nevertheless, I'd like to do something about it more proactively, so I also >> contact the abuse mailboxes as obtained from whois. From time to time I do >> even >> see responses stating that counter measures have been taken. In the current >> case, however, there rather seems to be a need for some more coordinated >> action >> instead of contacting the ISPs for each single IP -- this host might get >> blocked/shut down, but there is little hope of a more thorough investigation, >> trying to get closer to the root of these attacks. >> >> Well, probably I'm pretty naive in hoping that one could do anything about >> that >> at all, but maybe some of you are more experienced in security issues/dealing >> with CERTs, etc. and have some ideas what could be done. >> >> Further, what do you guys do about such attacks? Just sit back and hope they >> don't get hold of any passwords? Any ideas are welcome... >> >> Thanks, >> Michael >> >> >> > Hey there, > > first of all, administering linux servers is what I do for living (yet). > So this is just an advice from my experience as a linux user (also on my > servers) and ML reader, please feel free to correct me if I'm wrong. ;) > > I believe that most of those 'attacks' (bruteforce attempts) are, > (assumed that we're not talking about servers of banks or federal > governments or something like that) rather random. > They're scripts run against whole ranges of IP addresses and so far hit > anyone I know running a server on the internet. > > I'm actually talking about that in a positive way. Meaning that most of > those 'attacks', as I know them, are neither distributed, nor > coordinated to one server. > > To cut a long story short, I dont't think you get a lot from reporting > the IPs. I suppose the systems running the bruteforces are often either > located somewhere in the world where you can't really do them any harm, > or are infected or compromised systems of people that don't know that > their machines are running such 'attacks'. > > So I thing reporting is pretty much the only thing you can do. You won't > be able to press criminal charges against anyone I think. > > The problem with reporting the IPs is, that it can become a very big > task, as the number of IPs denyhosts blocks increases. > > Another advice I can give is to change the SSH port. That minimized > bruteforces to almost zero for me. > > So long. > > > Sorry about the confusion, what I meant is that administering linux server is **NOT** what I do for living. ;)
-- Cheers, Max Linux-User #477672 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
