SSH brute force password guessing AKA SShellPhishing:SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc(情報元のブックマーク数)

fail2ban, bruteforceblocker, denyhosts, sshdfilter, pam_abiなんてあるんだ・・・

We continue to see ssh brute force password guessing attempts. Occasionally we see large increases. We have seen the attacks switch from one host attempting lots of passwords to lots of hosts that appear to share a dictionary attempting a few password username combinations (coordinated and distributed).
That was the direct result of limiting the number of times an ip could attempt to login
(fail2ban, bruteforceblocker, denyhosts, sshdfilter, pam_abi, ...).
So the cyberwar arm’s race continues with the bad guys developing tools and methods to get around common mitigation methods.

InfoSec Handlers Diary Blog - SSH brute force password guessing AKA SShellPhishing

SShellPhishingというツールでブラックリスト制限できるものがあるそうです。

I recently wanted to validate some SShellPhishing reports I received.
One of the validation steps I used was to check those reported ip addresses against this SShellPhishing blacklist run by Daniel Gerzo. It has nearly 3k entries.

InfoSec Handlers Diary Blog - SSH brute force password guessing AKA SShellPhishing

こりゃーいける!(SANS曰く)

I am now willing to say that I believe Daniel’s list has a very low false positive rate. I saw no false positives so the percentage has to be near 0%. If anyone else has the time and wishes to validate portions of his list I would appreciate any feedback.

InfoSec Handlers Diary Blog - SSH brute force password guessing AKA SShellPhishing

screenshot