# distributed lame attempts to bruteforce sshd or what?



## tobe (Oct 5, 2009)

Hi,

Since a few days i have very long logs of auth failures on sshd.
I'm running sshguard to block incoming connections for 24 hours after 2 failures and it was ok until now.
It really looks like a distributed attack, but there's something strange: they are all trying to bruteforce the root account... Really it doesn't make sense... Or I'm missing something, are they trying to fill my log partition (3 Gb free)? to fill my pf table until i'm running out of memory (2Gb of virgin swap space)? Something else? Or they are just really stupid? 

Thanks for your suggestions.


----------



## DutchDaemon (Oct 5, 2009)

"Sloppy Linux Admins Enable Slow Bruteforce Attacks" (says Slashdot)

3. http://bsdly.blogspot.com/2009/10/third-time-uncharmed.html
2. http://bsdly.blogspot.com/2009/04/slow-brute-zombies-are-back.html
1. http://bsdly.blogspot.com/2008/12/low-intensity-distributed-bruteforce.html


----------



## tobe (Oct 5, 2009)

Damn sloppy linux admins! Don't they receive security reports emails from their systems? 

Thanks for the links DutchDaemon, i think it's time to enable sshguard blacklisting feature.


----------



## dennylin93 (Oct 5, 2009)

tobe said:
			
		

> Damn sloppy linux admins! Don't they receive security reports emails from their systems?



Perhaps they do, but they don't bother looking at them.


----------

