Re: [bitfolk] Small issue related to renumbering

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAndy Smith at <-
MDeanna Earley at ->

Reply to this message
Author: Keith Williams
Date:  
Subject: Re: [bitfolk] Small issue related to renumbering
=20120113;
    h=mime-version:in-reply-to:references:from:date:message-id:subject:to
    :content-type; bh=OF4T2hI8Z4Kygwb1rswBWvZfNwLZ00OluygaqPhySIo=;
    b=MByzfVSaUm2/bxBEcCP5MM6NU1agO5IpiCCXrupDD53rMF6ee5aihantOtow8N2EZi
    ACA7UwCfSG/n+DNjLdFFC8pNOhBmRerA/3GW5VOzLZJjr46F1F5hT+nCz1t6ozn19QoC
    zj7Z9MFhGvhC1X2M67knqnVOalNpouIDJ9i9akayC8oagX3iTxpax3tpm9X1KGvxQuoD
    JhNazFJyepaHMqgjdZowiT3l4PQD6LAF+hxIERC47WJB1pPyWY4nyhpPpryUv4j34PuG
    YzD/VhteuRK7DKBMIFAOyVhlpP6WKnpFlme+iJcDpxANKDPPsuGd4sBhHPVAJ94BOv/Z
    ZEFA==
Received: by 10.180.80.104 with SMTP id q8mr10935298wix.14.1336670272034; Thu,
    10 May 2012 10:17:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.129.80 with HTTP; Thu, 10 May 2012 10:17:31 -0700 (PDT)
In-Reply-To: <20120510162331.GG12360@???>
References: <20120510162331.GG12360@???>
From: Gerald Davies <gerald.davies@???>
Date: Thu, 10 May 2012 18:17:31 +0100
Message-ID: <CAEZ5awG8fG1vRx7dY-BWr3-x9qNnfRrzJ10sKR_tYE=Yc84-rA@???>
To: users@???
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
    10 May 2012 17:17:57 +0000
X-SA-Exim-Connect-IP: 209.85.212.180
X-SA-Exim-Mail-From: gerald.davies@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spamd3.lon.bitfolk.com
X-Spam-Level: 
X-Spam-ASN: AS15169 209.85.212.0/24
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU, RCVD_IN_DNSWL_LOW,
    SPF_PASS shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
    http://www.dnswl.org/, low *      trust
    *      [209.85.212.180 listed in list.dnswl.org]
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    author's *       domain
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *      valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] A gentle reminder again about protecting against SSH
    dictionary attacks
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
    <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
    <mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 17:17:57 -0000


On Thu, May 10, 2012 at 5:23 PM, Andy Smith <andy@???> wrote:
> Hello,
>
> It's been a while since I last posted a reminder about protecting
> against SSH dictionary attacks.
>

Hi all,

I was thinking about this and the PHP exploit that was mentioned yesterday.

I haven't looked into this, so please bear with me... I wondered if it
was possible to pool resources (a honeypot?) and/or knowledge in terms
of intrusion attempts, etc. Are the attacks that I receive (a lot of
dictionary/brute force attempts and proxy scans) part of someone/thing
simply scanning a range of Bitfolk IPs?

Would it not make sense to share this information or is this too much effort?

Cheers, Gerald 


From andy@??? Thu May 10 17:32:18 2012
Received: from andy by mail.bitfolk.com with local (Exim 4.72)
    (envelope-from <andy@???>) id 1SSXDt-0002Un-LF
    for users@???; Thu, 10 May 2012 17:32:18 +0000
Date: Thu, 10 May 2012 17:32:17 +0000
From: Andy Smith <andy@???>
To: users@???
Message-ID: <20120510173217.GD3867@???>
References: <20120510162331.GG12360@???>
    <CAEZ5awG8fG1vRx7dY-BWr3-x9qNnfRrzJ10sKR_tYE=Yc84-rA@???>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
    protocol="application/pgp-signature"; boundary="IuJpT0rwbUevm2bB"
Content-Disposition: inline
In-Reply-To: <CAEZ5awG8fG1vRx7dY-BWr3-x9qNnfRrzJ10sKR_tYE=Yc84-rA@???>
OpenPGP: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
X-URL: http://strugglers.net/wiki/User:Andy
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
    10 May 2012 17:32:17 +0000
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: andy@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    spamd0.lon.bitfolk.com
X-Spam-Level: 
X-Spam-ASN: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS shortcircuit=no
    autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] A gentle reminder again about protecting against SSH
 dictionary attacks
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
    <mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
    <mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 17:32:18 -0000



--IuJpT0rwbUevm2bB
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Gerald,

On Thu, May 10, 2012 at 06:17:31PM +0100, Gerald Davies wrote:
> Are the attacks that I receive (a lot of dictionary/brute force
> attempts and proxy scans) part of someone/thing simply scanning a
> range of Bitfolk IPs?

They are scanning the entire Internet.

Actually when I do investigations of compromised hosts that have
been engaging in SSH scanning, if I'm lucky enough to find a
=2Ebash_history I often find that the tools used to do the scanning
are quite primitive and only accept IP ranges like:

x.y.z.*
x.y.*

i.e. not CIDR=B9 notation. I often find they've done things like

=2E/a 164.238
=2E/a 62.76
=2E/a 192.100

to scan against a few big blocks of addresses.

> Would it not make sense to share this information or is this too much eff=
ort?

Would the goal of this to be to block abusive hosts before they have
a few tries against your own host?

I can see a few tricky issues around the possibility of a bug,
mistake or hostile user injecting arbitrary IPs into the system
causing everyone to ban those IPs.

I can see how someone with multiple machines might want a site-wide
block list, but I'm not sure it is worth it for use by multiple
different admins. You'd have to put a lot of effort into securing
it. Seems easier to just protect yourself with the more conventional
ways.

Cheers,
Andy

=B9 http://en.wikipedia.org/wiki/CIDR#Subnet_masks

--=20
http://bitfolk.com/ -- No-nonsense VPS
This message was posted to the following mailing lists:
users
Mailing List Info | Nearby Messages		<-Re: [bitfolk] Small issue related to renumberingRe: [bitfolk] Small issue related to renumbering->
Bitfolk Mailing List Archive administrated by List AdminLurker (version 2.3)