Lars NoodC)n wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers maybe except to
relevant services like http port or https. If we could see a blanket
ban on connecting Windows machines to the net, things would improve
On 2008/01/11 12:18, Claer wrote:
> Sorry for not being that clear. I was talking about auto mailing whois
> address block abuse contacts.
maybe you could get it to auto-mail *you* with the details to make
it easier to send that onwards, but don't auto-mail whois contacts.
you're asking people to
On 2008/01/11 11:07, Jason McIntyre wrote:
> On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote:
> > On 2008/01/11 12:33, Lars Noodin wrote:
> > >
> > > I suppose another option is to use pf to filter out all incoming traffic
> > > to the servers originating from Windows computers
>
On Fri, Jan 11, 2008 at 11:07:49AM +0001, Jason McIntyre wrote:
| > an inclusive match is usually better e.g.
| > pass proto tcp from any os "OpenBSD" to port ssh
|
| that could be less useful if you have ipv6 connections in, no? since
| pf.os(5) claims only to be able to fingerprint hosts "that o
Niskanen <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Re: : SSH Brute Force Attacks Abound - and thanks!
Date: Fri, 11 Jan 2008 11:12:00 +0100
Mailer: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote:
> put this in pf.conf
>
Peter N. M. Hansteen wrote:
> Claer <[EMAIL PROTECTED]> writes:
>
>> I always hesitate to use this trick. Could you please develop more the
>> implications of this method? Is it still effective?
>
> Yes, it's still effective. You need to put in whatever values you
> feel are appropriate for your
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote:
> Claer <[EMAIL PROTECTED]> writes:
>
> > I always hesitate to use this trick. Could you please develop more the
> > implications of this method? Is it still effective?
> Yes, it's still effective. You need to put in whatever values you
>
On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote:
> On 2008/01/11 12:33, Lars Noodin wrote:
> >
> > I suppose another option is to use pf to filter out all incoming traffic
> > to the servers originating from Windows computers
>
> you can take a look for yourself with tcpdump -O,
http://home.nuug.no/~peter/pf/en/long-firewall.html#BRUTEFORCE
Best
Martin
On 2008/01/11 12:33, Lars Noodin wrote:
>
> I suppose another option is to use pf to filter out all incoming traffic
> to the servers originating from Windows computers
you can take a look for yourself with tcpdump -O, but I think you'll
find the ssh scans are more likely to be from some variety
Claer <[EMAIL PROTECTED]> writes:
> I always hesitate to use this trick. Could you please develop more the
> implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you
feel are appropriate for your network and users. In Lars' example,
Claer wrote:
> On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote:
...
>> Regarding the logs, one thing that worked in the past was giving the
>> netblock owner a hard time. It's their responsibility. It's not too
>> hard to make up a shellscript (or use another scripting language) which
>> automate
On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote:
> put this in pf.conf
>
Is not this missing from the recipe:?
block quick from
> pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload flush
On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote:
> Kennith Mann III wrote:
> > ...
> > While moving the SSH port doesn't help much against anyone running an
> > nmap scan, it stops blind port 22 scans that run generic password
> > hacks and filling your logs with crap,
>
> Overloads help a bit:
>
put this in pf.conf
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload flush
global)
:)
enjoy
On 10 Jan 2008, at 21:53, Ken wrote:
A practical example, real life, last night.
I was replacing my hard d
dam you seconds ahead of my reply with the same info :)
On 11 Jan 2008, at 09:24, Lars Noodin wrote:
Kennith Mann III wrote:
...
While moving the SSH port doesn't help much against anyone running an
nmap scan, it stops blind port 22 scans that run generic password
hacks and filling your logs
Kennith Mann III wrote:
> ...
> While moving the SSH port doesn't help much against anyone running an
> nmap scan, it stops blind port 22 scans that run generic password
> hacks and filling your logs with crap,
Overloads help a bit:
pass in on $ext_if proto tcp to ($ext_if) port ssh
On 1/10/08, Ken <[EMAIL PROTECTED]> wrote:
> I never see anything like that, since my pf rules only allow me to ssh back
> to home from my work IP range.
>
> In the space of about 15 minutes before I enabled pf all of the following
> users were tried, probably
> by an automated script:
It appe
Wow, I read your email and checked my authlog and was
astounded by the number hack attempts. Thankfully, I
configured my OpenBSD firewall with recommended access
controls. Thanks to all the dedicated OpenBSD
developers and community! Support the project and
encourage the purchase of more OpenBSD
A practical example, real life, last night.
I was replacing my hard drive on my home broadband OBSD firewall, and it was
taking a few minutes
to copy over the old pf.conf and enable the firewall. I had installed the
latest snapshot as a
fresh image and restarted. It took a little while to set
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/13/07 5:25 AM, Stuart Henderson wrote:
> On 2007/08/13 13:51, [EMAIL PROTECTED]@mgedv.net wrote:
>> why don't you just switch your ssh port to a different one.
>
> In my case, because it annoys me, and max-src-conn-rate doesn't.
I concur, and wo
On 2007/08/13 13:51, [EMAIL PROTECTED]@mgedv.net wrote:
>
> why don't you just switch your ssh port to a different one.
In my case, because it annoys me, and max-src-conn-rate doesn't.
* Joachim Schipper <[EMAIL PROTECTED]> [2007-08-13 12:25]:
> > connection multiplexing can be useful for this sort of thing.
> Yes, it would be, but I never got it to work reliably (Subversion likes
> to close connections before opening the next one, etc). Did you? If so,
> could you share the scri
- Original Message -
From: "Stuart Henderson" <[EMAIL PROTECTED]>
To: "OpenBSD"
Sent: Monday, August 13, 2007 1:30 PM
Subject: Re: [misc] SSH brute force attacks no longer being caught by PF
rule
On 2007/08/13 12:14, Joachim Schipper wrote:
>
> Th
On 2007/08/13 12:14, Joachim Schipper wrote:
> >
> > This still needs a 3-way handshake to be completed, it's not so
> > easy to blindly spoof. Main problem is if the attacker comes from
> > the same IP address as a legitimate user (NAT etc).
>
> Yes, that is one of the main problems. The other i
Joachim Schipper wrote:
Finally, Subversion over SSH uses lots of connections, should you ever
want to use that.
connection multiplexing can be useful for this sort of thing.
Yes, it would be, but I never got it to work reliably (Subversion likes
to close connections before opening the next o
On Mon, Aug 13, 2007 at 10:10:14AM +0100, Stuart Henderson wrote:
> On 2007/08/09 12:22, Joachim Schipper wrote:
> > > >
> > > > # Define some variable for clarity
> > > > SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)"
> > > >
> > > > # Allow quick valid traffic to ssh but log all a
On 2007/08/09 12:22, Joachim Schipper wrote:
> > >
> > > # Define some variable for clarity
> > > SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)"
> > >
> > > # Allow quick valid traffic to ssh but log all attempts as well
> > > pass in log quick on $ext_if inet proto tcp from ! \
>
On Thu, Aug 09, 2007 at 10:29:19AM -0700, David Newman wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 8/9/07 10:24 AM, David Newman wrote:
> > On 8/9/07 3:22 AM, Joachim Schipper wrote:
> >
> >>> # Allow quick valid traffic to ssh but log all attempts as well
> >>> pass in log qu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/9/07 10:24 AM, David Newman wrote:
> On 8/9/07 3:22 AM, Joachim Schipper wrote:
>
>>> # Allow quick valid traffic to ssh but log all attempts as well
>>> pass in log quick on $unpro inet proto tcp from ! \
>>>to $unpro port ssh $SSH_LIMIT
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/9/07 3:22 AM, Joachim Schipper wrote:
>> # Allow quick valid traffic to ssh but log all attempts as well
>> pass in log quick on $unpro inet proto tcp from ! \
>>to $unpro port ssh $SSH_LIMIT
>
> Skip '! ' unless it's intended as documentat
2007/7/2, Steve B <[EMAIL PROTECTED]>:
> I'm the one who started this thread. If I can block them for an hour without
> a table that would be even better.. I was using the file to store the IP's
> as they were identified by the rule and had been planning to use the
> expiretable package to start c
On Wed, Aug 08, 2007 at 10:26:11AM -0700, David Newman wrote:
> On 6/27/07 10:39 PM, Daniel Ouellet wrote:
> > Put quickly as an example, but [to block SSH scans] you can try:
> >
> > # Define some variable for clarity
> > SSH_LIMIT="(max-src-conn-rate 3/30, overload flush global)"
> >
> > ## SS
Allie D. wrote:
I just had to reply with this info because I already had an attempted
brute force in the last hour. All you need to do is make your rule tighter
and add a connection rate ratio to start collecting IP's.
we use pf os fingerprinting to only allow ssh connections from openbsd
hos
Please, don't use grok for that! From what I saw it is
vulnerable to very simple log injection attacks (you
need much more string regexes):
http://www.ossec.net/en/attacking-loganalysis.html
Be very careful when parsing logs for automated
remediation...
Thanks,
--
Daniel B. Cid
dcid ( at ) oss
I just had to reply with this info because I already had an attempted
brute force in the last hour. All you need to do is make your rule tighter
and add a connection rate ratio to start collecting IP's.
( I use logsentry/logcheck)
Security Violations
=-=-=-=-=-=-=-=-=-=
Aug 8 11:48:16 traci sshd[
On 8/8/07, Daniel Cid <[EMAIL PROTECTED]> wrote:
> Please, don't use grok for that! From what I saw it is
> vulnerable to very simple log injection attacks (you
> need much more string regexes):
>
> http://www.ossec.net/en/attacking-loganalysis.html
Ack.
Thanks for pointing that out. Some attacks
3 times in 30 seconds as a src connection rate is pretty conservative and
you don't have a connection rate trap. I run max-src-conn 5,
max-src-conn-rate 5/5 and nail every one. Of course you'll see the first
few attempts, but once they tickle that max-src-conn rule they get
shutdown.
--
~Allie D.
Although this doesn't answer your actual pf question, you might try
using a tool called Grok (http://www.semicomplete.com/projects/grok/).
It's a pretty decent log watcher written in Perl, designed to do
exactly this sort of thing. You define matches and reactions in its
config file (match = "Illeg
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/27/07 10:39 PM, Daniel Ouellet wrote:
> Steve B wrote:
>> The rule I've had in my pf.conf file to catch and block forceful SSH
>> attempts no longer appears to be working. I see the entries in my
>> authlog,
>> but the IPs are no longer getting ad
"Steve B" <[EMAIL PROTECTED]> writes:
> I'm the one who started this thread. If I can block them for an hour without
> a table that would be even better.
Sure, you could have a frequently running cron job which does a
pfctl -t bruteforce -T expire 3600
(OpenBSD 4.1 onwards) or use expiretable.
On 6/28/07, Martin Schrvder <[EMAIL PROTECTED]> wrote:
>
> 2007/6/28, J.D. Bronson <[EMAIL PROTECTED]>:
> > so if it wont write to a file...I presume it blocks
> > whats listed in /etc/tables/scanners permanently and then only
> > blocks NEW offenders via kernel memory?
> > (can someone clarify my
2007/6/28, J.D. Bronson <[EMAIL PROTECTED]>:
so if it wont write to a file...I presume it blocks
whats listed in /etc/tables/scanners permanently and then only
blocks NEW offenders via kernel memory?
(can someone clarify my understanding of that?
Do you really need a file? In my experience bloc
J.D. Bronson wrote:
Guys...I was not the one that started this thread..
I just chimed in and asked for a tweak on the setup.
Sorry for my mistake then. I should refrain from replying on lack of
sleep. (;>
I have what I need for now :)
Glad it help you never the less.
Guys...I was not the one that started this thread..
I just chimed in and asked for a tweak on the setup.
I have what I need for now :)
-JD
At 11:54 AM 06/28/2007, Daniel Ouellet wrote:
J.D. Bronson wrote:
At 08:56 AM 06/28/2007, Stuart Henderson wrote:
On 2007/06/28 08:46, J.D. Bronson wrote
J.D. Bronson wrote:
At 08:56 AM 06/28/2007, Stuart Henderson wrote:
On 2007/06/28 08:46, J.D. Bronson wrote:
> Will NEW offenders be added to /etc/tables/scanners
> as they are discovered and therefore not just remain in kernel?
No, pf does not write to files.
How about cron(8) and pfctl(8) ins
On 2007/06/28 09:02, J.D. Bronson wrote:
> At 08:56 AM 06/28/2007, Stuart Henderson wrote:
>> On 2007/06/28 08:46, J.D. Bronson wrote:
>> > Will NEW offenders be added to /etc/tables/scanners
>> > as they are discovered and therefore not just remain in kernel?
>>
>> No, pf does not write to files.
On Thu, 28 Jun 2007 09:02:43 -0500
"J.D. Bronson" <[EMAIL PROTECTED]> wrote:
> At 08:56 AM 06/28/2007, Stuart Henderson wrote:
> >On 2007/06/28 08:46, J.D. Bronson wrote:
> > > Will NEW offenders be added to /etc/tables/scanners
> > > as they are discovered and therefore not just remain in kernel?
On Wed, Jun 27, 2007 at 09:54:04PM -0700, Steve B wrote:
> The rule I've had in my pf.conf file to catch and block forceful SSH
> attempts no longer appears to be working. I see the entries in my authlog,
> but the IPs are no longer getting added to my table. I suspect I screwed
> something up, bu
On 2007/06/28 08:46, J.D. Bronson wrote:
> Will NEW offenders be added to /etc/tables/scanners
> as they are discovered and therefore not just remain in kernel?
No, pf does not write to files.
How about cron(8) and pfctl(8) instead?
At 08:56 AM 06/28/2007, Stuart Henderson wrote:
On 2007/06/28 08:46, J.D. Bronson wrote:
> Will NEW offenders be added to /etc/tables/scanners
> as they are discovered and therefore not just remain in kernel?
No, pf does not write to files.
How about cron(8) and pfctl(8) instead?
so if it wont
ks :)
-JD
>Date: Thu, 28 Jun 2007 01:39:37 -0400
>From: Daniel Ouellet <[EMAIL PROTECTED]>
>User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
>To: OpenBSD
>Subject: Re: SSH brute force attacks no longer being caught by PF rule
>Sender: [EMAIL PROTECTED]
>
>Steve B
Steve B wrote:
The rule I've had in my pf.conf file to catch and block forceful SSH
attempts no longer appears to be working. I see the entries in my authlog,
but the IPs are no longer getting added to my table. I suspect I screwed
something up, but so far I am at a loss to see where. Could some
The rule I've had in my pf.conf file to catch and block forceful SSH
attempts no longer appears to be working. I see the entries in my authlog,
but the IPs are no longer getting added to my table. I suspect I screwed
something up, but so far I am at a loss to see where. Could someone pass
another
I'm the same way - I do not look forward to spending an afternoon
upgrading a box, and then manually hacking through the config files
checking for changes. After 30 minutes of this mind-numbing minutae, I
usually start making mistakes which leads to more time consumed.
Anyway - most upgrades are n
Well,
for cizcoeee switches, configuring "DHCP snooping" and "Dynamic ARP
inspection" could help (in order to armor switch against arp poisoning
or dhcp impersonation, ie. to be better protected against sniffing on
switch).
P.
On 11/14/05, bofh <[EMAIL PROTECTED]> wrote:
> On 11/13/05, Joachim Sch
On 11/13/05, Joachim Schipper <[EMAIL PROTECTED]> wrote:
>
> This is an attack against TCP, not SSH. TCP is not encrypted (usually -
> IPSec or somesuch, with the proper settings, could make this impossible)
> - all that's required is some sequence numbers.
>
> And yes, a really good switch configu
On Sat, Nov 12, 2005 at 10:16:05AM -0500, Melameth, Daniel D. wrote:
> Joachim Schipper wrote:
> Perhaps I missed something in this thread, but what are you talking
> about? This is why you run SSH and not telnet--so that traffic sniffing
> doesn't reveal the contents of the packets. Also, qual
On Sat, Nov 12, 2005 at 12:04:38PM +0100, the unit calling itself Fabien
Germain wrote:
> On 11/11/05, J Moore <[EMAIL PROTECTED]> wrote:
> > > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep
> > > > state
> > > > (max-src-conn-rate 3/10, overload flush)
> > >
> > > which
Joachim Schipper wrote:
> > See pf.conf(5) about max-src-conn, and compare it with
> > max-src-states.
>
> That's true. Sorry, should have RTFMP.
>
> Regardless, while this makes the attack more difficult, the added
> difficulty doesn't amount to much. Hubs will allow sniffing easily,
> and swit
On 11/11/05, stan <[EMAIL PROTECTED]> wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password fo
On 11/11/05, J Moore <[EMAIL PROTECTED]> wrote:
> > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep
> > > state
> > > (max-src-conn-rate 3/10, overload flush)
> >
> > which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )
> >
> Just out of curiosity, why haven't
On Sat, Nov 12, 2005 at 01:14:08AM +, Stuart Henderson wrote:
> On 2005/11/12 01:11:02, Joachim Schipper wrote:
> > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep
> > > state
> > > (max-src-conn-rate 3/10, overload flush)
> >
> > This sort of thing is really popular,
On Fri, 11 Nov 2005 16:44:46 -0500
stan <[EMAIL PROTECTED]> wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> at
On 2005/11/12 01:11:02, Joachim Schipper wrote:
> > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> > (max-src-conn-rate 3/10, overload flush)
>
> This sort of thing is really popular, but I don't see the point.
See pf.conf(5) about max-src-conn, and compare it with
hmm, on Fri, Nov 11, 2005 at 04:44:46PM -0500, stan said that
> Any sugestions as to how to deal with this? Change the port ssh is
> listening on maybe?
there was a huge thread about this recently...
look up the archives.
i am quite shocked that nobody sent you rudely to consult
the archives. ar
On Fri, 11 Nov 2005 23:29:52 +0100, Fabien Germain wrote:
>On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
>> then add a rule like this
>>
>> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
>> (max-src-conn-rate 3/10, overload flush)
>
>which only works with O
On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote:
> At 03:57 PM 11/11/2005, Joachim Schipper wrote:
> >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> >> I;ve got a machien that seems to getting atacked by what appears to be a
> >> simplistic "brute force" attck. it's getting hi
J Moore wrote:
On Fri, Nov 11, 2005 at 11:29:52PM +0100, the unit calling itself Fabien
Germain wrote:
On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
then add a rule like this
pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
(max-src-conn-rate 3/1
Patch sshd with http://www.linbsd.org/openssh-samepasswd.patch
Prevents most of the attacks and slows them down quite a bit.
-Ober
On Fri, 11 Nov 2005, stan wrote:
I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple
> > I;ve got a machien that seems to getting atacked by what appears to be a
> > simplistic "brute force" attck. it's getting hit multiple ties a second
> > with bogus root login attempts, my guess is that they are
> trying dictionary
> > atacks on the password for root.
> >
> > Any sugestions as
On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote:
> At 03:57 PM 11/11/2005, Joachim Schipper wrote:
> >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> >> I;ve got a machien that seems to getting atacked by what appears to be a
> >> simplistic "brute force" attck. it's getting hi
On Fri, 11 Nov 2005 16:44:46 -0500
stan <[EMAIL PROTECTED]> wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> at
--On 11 November 2005 23:29 +0100, Fabien Germain wrote:
which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )
Upgrading is not as difficult as you think it will be.
On Fri, Nov 11, 2005 at 11:29:52PM +0100, the unit calling itself Fabien
Germain wrote:
> On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
> > then add a rule like this
> >
> > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> > (max-src-conn-rate 3/10, overload
stan wrote:
I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple ties a second
with bogus root login attempts, my guess is that they are trying dictionary
atacks on the password for root.
Any sugestions as to how to de
On 11/11/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
> then add a rule like this
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> (max-src-conn-rate 3/10, overload flush)
which only works with OpenBSD >= 3.7 ( and my server is 3.5 :-( )
Fabien
At 03:57 PM 11/11/2005, Joachim Schipper wrote:
On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is
On 11/11/05, stan <[EMAIL PROTECTED]> wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password fo
On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the pa
On Friday 11 November 2005 16:44, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password f
On Fri 2005.11.11 at 16:44 -0500, stan wrote:
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password f
> I;ve got a machien that seems to getting atacked by what appears to be a
> simplistic "brute force" attck. it's getting hit multiple ties a second
> with bogus root login attempts, my guess is that they are trying dictionary
> atacks on the password for root.
>
> Any sugestions as to how to deal
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> stan
> Sent: Friday, November 11, 2005 4:45 PM
> To: OpenBSD general usage list
> Subject: ssh brute force attacks
>
>
> I;ve got a machien that seems to getting atac
I;ve got a machien that seems to getting atacked by what appears to be a
simplistic "brute force" attck. it's getting hit multiple ties a second
with bogus root login attempts, my guess is that they are trying dictionary
atacks on the password for root.
Any sugestions as to how to deal with this?
86 matches
Mail list logo