Security software can not report SSH attacks

Those of you who are unfamiliar with the terminology should take note that port 22 is being used for text-based administration tasks performed from remote locations.

This new type of coordinated attack tries to guess the server root password in three successive attempts from a single compromised computer. After the third unsuccessful login attempt, the compromised host is abandoned, but the attack is subsequently carried from other such zombie computers . The approach is extremely new, as remote attackers have built a large-scale, distributed brute-forcing mechanism that performs the malicious task from numerous IPs.

The first reports about the new wave of attacks came from IT consultant and software developer Nazar Aziz, who noticed suspicious entries in the access logs on some Linux boxes he manages. A closer look into the matter revealed a strange pattern of login attempts clustered in groups of three hits per IP.

The reduced number of brute-force attempts allows hackers to keep a low profile and prevents the security software running on the server to detect it as an intrusion, because most of such pieces of software are set to trigger at larger thresholds. More than that, the same security software could blacklist any login attempts from the suspicious IP, thus rendering the attack useless.

Unlike other attacks, this approach aims at breaking into systems that are protected with weak passwords, rather than exploiting zero-day security vulnerabilities. It seems like the new wave of attacks originates from a bot network of compromised Linux machines, but as of the moment of writing, there are few details about the attackers.

Aziz also wrote a small but efficient script that alerts system administrators about such attacks on their servers. It can be downloaded for free from the following address: http://panthersoftware.com/…automatically-report-all-ssh-brute-force-attacks-to-isps