SSH brute force attacks have been happening for years now. Nothing new there but over the last couple of days, logcheck has been sending me emails nearly every hour with failed SSH login attempts. Something I've not had for months and months, especially with fail2ban running.
But I've noticed something "different" about these brute force attacks. There appears to be multiple hosts trying the same user within minutes of each other. And each host only tries a few times, so fail2ban isn't catching any attempts. I've only ever seen user "root" and "mysql" tried instead of the usual random users that are tried 4 or more times by the same host.
Has anyone else noticed this? It's almost as if it's a distributed and coordinated brute force attack, designed to get around people running things like fail2ban. I've reported it to SANS Internet Storm Center in case they were interested but I doubt I'll hear anything back.
Update #1: Donald Smith from SANS ISC got back to me to say I was the second person to report this today.
Update #2: SANS ISC now has a diary entry about this which can be found here. The coordination part now appears to be verified.
|
