SSH brute force attack? - Networking

This is a discussion on SSH brute force attack? - Networking ; I'm getting this in my logs. No other explanation. SSH_brute_force IN=bond0 OUT= MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239 DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0...

+ Reply to Thread
Results 1 to 4 of 4

Thread: SSH brute force attack?

  1. SSH brute force attack?

    I'm getting this in my logs. No other explanation.

    SSH_brute_force IN=bond0 OUT=
    MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
    DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
    SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0

  2. Re: SSH brute force attack?

    On Sat, 29 Dec 2007 19:03:44 -0000, CptDondo wrote:
    > I'm getting this in my logs. No other explanation.
    >
    > SSH_brute_force IN=bond0 OUT=
    > MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
    > DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
    > SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0


    My WAG, some script has decided that ip address 213.220.192.239
    (r3a239.net.upc.cz) has hit your ssh port 22 enough times in X amount
    of time, which might indicate it is try to guess the password for an
    account on the 192.168.128.6 node.
    Hence the brute_force name.


  3. Re: SSH brute force attack?

    CptDondo wrote:

    > I'm getting this in my logs. No other explanation.
    >
    > SSH_brute_force IN=bond0 OUT=
    > MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
    > DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
    > SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0


    From the results of a 'whois' command:

    remarks: **********************************************
    remarks: * In case of hack attacks, scans etc. please *
    remarks: * send abuse notifications to: *
    remarks: * abuse@mistral.cz *
    remarks: **********************************************

    --
    Garry Knight
    garryknight@gmx.net


  4. Re: SSH brute force attack?

    CptDondo wrote:
    > I'm getting this in my logs. No other explanation.
    >
    > SSH_brute_force IN=bond0 OUT=
    > MAC=00:1d:60:0b:ce:61:00:90:4b:c9:ac:f6:08:00 SRC=213.220.192.239
    > DST=192.168.128.6 LEN=52 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=TCP
    > SPT=36939 DPT=22 WINDOW=8184 RES=0x00 ACK URGP=0



    May I recommend installing "denyhosts"? It will keep an eye on for
    example SSH brute force attacks, and add those IP's to a blacklist
    (hosts.deny) after for example 5 failed login attempts.

    If ubuntu linux it's as simple as "apt-get install denyhosts" - it comes
    preconfigured for SSH brute force.

    - Henrik

+ Reply to Thread