SSH Brute Forcing and Reporting It

T

TheDude05

Limp Gawd
Joined
Jan 27, 2005
Messages
393
I was skimming through my logs and found a host that was trying to brute force log into our SSH server at work. They never made it in successfully. I looked the IP up at whois.domaintools.com and found that it belongs to a company in my country (U.S). "Mzima Networks Inc" to be exact...

Can I report this to their abuse address and is it worth my time to do so? I'm going to blacklist the address but I didn't know if this something I could report as well.
 
Absolutely. Any hack attempts are to be taken serious and are potentially criminal offenses. I had a kid in Quebec dropped by his ISP because he defaced my forum. I could have continued with his local PD, but decided that forcing him to read books or go outside for entertainment was punishment enough.

Send to abuse@ and CC to any technical/administrative contact as well as the domain host. Basically let everyone that has anything to do with this domain know that you know what is going on, and someone is about to get in deep shit for it if they keep it up. Be sure to post actual logs in the email, with timestamps and the full IP in question.
 
Before you go firing off accusatory emails, keep in mind that their server was most likely compromised, and someones using them as a proxy. Word your email to reflect such, informing them of the problem, rather than accusing them
 
I'll keep what you said in mind. I'm not really the argumentative type anyways. :p

Upon further investigation that company appears to be a service provider/co-location company so who knows who actually owns the actual ip address. No reverse dns on it either.

Thanks for the quick replies
 
One of my colo providers uses Mzima as a primary gigabit connection:

adtaq.png
 
I have found if you have a server up long enough, the brute force SSH attacks are endless. I administer many servers, mostly linux and apple OSX, and get brute force attacks every day. I would say most of the attacks come from already compramised computers, running automated scripts looking for more servers to attack. Theses scripts usually contain a dictionary of typical simple passwords and user accounts names. Here are some of the things you can do to minimize the risk:

Don't allow root direct SSH login access
Only allow certain users to log into SSH
Set the number of times an incorrect password can be given for a user account.
Try to make hard to guess passwords or pass phrases

Also, you may want to report any break-ins to your ISP, they may be able to help.


Hope this helps
 
Only allow authentication via public key encryption. That increases the brute force space to satisfactory levels.
 
You must log in or register to reply here.
Back
Top