Somebody’s botnet came on-line yesterday. Starting at 7:31PM yesterday my servers have been getting hammered with ssh brute force login attacks. As of two minutes ago the number of unique IP addresses that have attempted to hack me is at 398.
I’m not worried, though. First, they are attempting to brute force the password for an account that does not exist.
Second, I use a fabulous tool called BruteForceBlocker that integrates with syslog to identify failed ssh logins and then uses pf to firewall them off so the offending IP address can’t try again. BruteForceBlocker also reports this bad activity to a central database, where it is pooled and used to extend the block lists on other BruteForceBlocker enabled servers, preventing known bad hosts from attempting to crack your box in the first place.
Between the IPs my server blocked, and the most recent sync with the server, the total number of IPs blocked in the last 14 hours is 737. I’ve been spot-checking some of the blocked IPs with nmap, and so far I’m finding most of them to be linux based, where I had expected to find at least a few of them to be Conficker infected WinBlows boxes. That’s a lot of compromised Linux boxes out there…