On 16 April 2010 09:39, David Xu <davi...@freebsd.org> wrote: > Jeremy Lea wrote: > >> Hi, >> >> This is off topic to this list, but I dont want to subscribe to -chat >> just to post there... Someone is currently running a distributed SSH >> attack against one of my boxes - one attempted login for root every >> minute or so for the last 48 hours. They wont get anywhere, since the >> box in question has no root password, and doesn't allow root logins via >> SSH anyway... >> >> But I was wondering if there were any security researchers out there >> that might be interested in the +-800 IPs I've collected from the >> botnet? The resolvable hostnames mostly appear to be in Eastern Europe >> and South America - I haven't spotted any that might be 'findable' to >> get the botnet software. >> >> I could switch out the machine for a honeypot in a VM or a jail, by >> moving the host to a new IP, and if you can think of a way of allowing >> the next login to succeed with any password, then you could try to see >> what they delivered... But I don't have a lot of time to help. >> >> Regards, >> -Jeremy >> >> > Try to change SSH port to something other than default port 22, > I always did this for my machines, e.g, change them to 13579 :-) > > Regards, > David Xu > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" >
dont allow password auth, tcp wrap it, and acl it with pf. Probably more stuff you can do. Think onions _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
