LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Brute-Force SSH Server Attacks Surge (InformationWeek)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 15:51 UTC (Wed) by AJWM (guest, #15888)
In reply to: Brute-Force SSH Server Attacks Surge (InformationWeek) by kssingvo
Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek) 

That's a good idea, although I wonder if perhaps determined attackers aren't already using
botnets for this kind of thing to spread the attack-source IPs around.

(Fail2ban blocks the IP of repeated failed-password attempts.  The question is whether an
attacker would run out of IPs before running out of passwords to try - yet another argument
for strong passwords.)

(Log in to post comments)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:20 UTC (Wed) by ssam (subscriber, #46587) [Link] 

4 billion ip address, biggest botnets are of the order of 1 million machines. the default on
denyhosts is something like 10 fails per IP address.

there are 26^5 = 11 million, 5 character lowercase passwords

there are 26^7 = 8 billion, 7 character lowercase passwords

Ubuntu does not install an ssh server by default. which consumer distros do?

Ubuntu also, by default does not have a root user, so if you want to brute force you have to
guess a username as well.

crazy idea:
what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has
succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:37 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?

What you describe sounds like a variation of a honeypot. Interesting concept, IMO, but I'm certain that whatever functionality incorporated in this "pretend" shell would necessarily be a small subset of what a real shell could contain.

Taking your idea further, how about a completely "functional" pretend shell whose programs and commands are all faked as well.... Sounds like a lot of work just to snoop on the bad guys, but a peculiarly interesting idea nevertheless...

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 18:28 UTC (Wed) by smoogen (subscriber, #97) [Link] 

Yes they have been doing this for a while.. The latest set of attacks are using it more. I
have seen attacks where machine A goes for account "foo, foo1, foo2" and then machine B does
"foo3, foo4, foo5" and then machine C goes for "foo6, goo, goo1" and machine A tries again
(well its a lot bigger than that but just logging in once and coming back an hour later is
enough to get past most public ssh servers fail2ban systems.) Add onto that a lot of users
think Q1w2e3r4 is a good password and are sure to get some account on a university or big ISP
sometime.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds