Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Dealing With Unwanted SSH Bruteforcing

Published: 2010-01-01
Last Updated: 2010-01-01 15:19:47 UTC
by G. N. White (Version: 1)
12 comment(s)

A common question I get from individuals who use Internet-accessible SSH
to manage their network devices concerns how do deal with all the unwanted
Bruteforcing activity that is usually attracted.

While changing the default SSH listening port number and/or implementing a
Source-IP based Access Control List would seem like common sense solutions,
there are still situations where it is either not possible to move the SSH
listening port or not practical to implement an Access Control List if the
application involves providing access from dynamic Internet address space.

I recently became aware of an interesting initiative at http://www.sshbl.org
where a collection of SSH Bruteforcing attempts by source IP is being maintained.

The next step (of course) was to solicit logs from a few colleagues who monitor
and deal with this nefarious activity, and it was quite amazing to see a significant
amount of overlap with the sshbl.org statistics.

A final step of experimenting with an Access Control List to block SSH activity from
the sshbl.org SSH bruteforce IP list is still in the works, but will nevertheless be
an interesting exercise.

Do you have a favourite source of statistics regarding SSH Bruteforcing activity?
If there's enough interest, I'll post a summary at the end of my shift.

Best wishes for 2010 to all our readers!

G.N. White
Handler on Duty
 

Keywords: SSH bruteforce
12 comment(s)
Diary Archives