On Mon, May 12, 2008 at 2:01 PM, Keith T. Morgan
<keith.morgan_at_terradon.com> wrote:
> I wanted to follow up on this after putting a little more thought into it. Honestly, I'm quite impressed by the intelligence the botnet is exhibiting. Based on the testing I've done, it's clear that the entire botnet is collectively sharing its position in the dictionary on a per-target basis. Fairly slick, IMO.
Agreed.
If you're concerned, start requiring ssh-keys for authentication. If
you use RedHat (or derivatives thereof) and have the pam_succeed_if
PAM module available, you can at the very least make sure that any
non-authorized user accounts (even if they actually exist, and have a
password) can't log in via ssh. Like users who only get email
privileges, or who only have ftp privs to update a website.
Mitigation is the name of the game, since the botnets tend to span
large areas of the IP space, blocking entire networks risks making
your servers/services unusable.
-Tim
Received on May 12 2008
Intro
