[nsp-sec] DFN-CERT#42614 - Distributed SSH Probes
Tim Wilde
twilde at cymru.com
Mon Apr 20 15:45:53 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin Oberman wrote:
> I should note that John's script was written for old-fashioned brute
> force attacks and not the current "slow" attacks. It requires that the
> log contain at least 10 failures from a single source before it
> triggers. At the rate that the current probes are coming in, very few
> systems are likely to hit in that time.
Kevin,
Great point, thanks for pointing this out and for the included script.
Definitively identifying these slow guys without false positives is
definitely a bit of a chore, depending on one's environment!
Thanks,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJ7NDxluRbRini9tgRArr2AJwJyJL942SGyL4AXy1GjYwrVQzXqACdGG5P
Y6R5omkzPmU+1scQAug3Il8=
=Hhc3
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list